- Solutions
-
-
Solutions
Perfect eCommerce solutions for any business. We provide customized solutions for B2B and B2C businesses across multiple industries.
Learn more
-
-
- Products
-
-
-
Products
Streamline backend operations, improve inventory management, and more with our business management software.
Learn morePLATFORM
-
-
- Services
-
-
-
Services
We go beyond software to provide the customizations, services, and support your business needs.
Learn more
-
-
- Industries
-
-
-
Industries
Business management software tailored to meet the needs of specific industries, including industry-specific regulations.
Learn moreINDUSTRIES
-
-
- Resources
-
-
-
Resources
Learn more about business management software and the latest developments in the industry.
Learn more
-
-
Blog / Magento PolyShell Vulnerability: What It Is and How to Fix It Fast
Magento PolyShell Vulnerability: What It Is and How to Fix It Fast
March 30, 2026
A recent critical vulnerability affecting all Magento 2 and Adobe Commerce stores was discovered on March 17, 2026. The “Polyshell” vulnerability exploits a flaw in Magento’s REST API, allowing unauthenticated users to access the custom_options and custom_addresses directories and upload malicious files. Without even having valid credentials for the Magento admin or web server, attackers can then execute these files.
As of April 1, 2026, Adobe has not released an official security patch to correct this vulnerability in production environments. Once a server is compromised, sensitive data including payment card information, customer account, and order data are vulnerable. Hackers can also launch additional attacks like encrypting store data, bot attacks, or planting other backdoors for later access.
At CertiPro, our developers worked diligently to implement an immediate but temporary patch to protect our customers by creating a custom validation that blocks execution of code in these malicious files in affected directories. This patch was implemented shortly after the discovery of this issue for CertiPro clients.
We have since completed development of a permanent fix for this vulnerability with a new security patch for our Enhanced Security module. This patch resolves the vulnerability in the web server and entirely blocks bad actors’ access to the vulnerable upload directory, preventing unauthorized access.
If you’re running Magento and need help with our security, contact us to see what our expert team can do for you.
Contact Us
Magento PolyShell FAQs
1. What is the Magento PolyShell vulnerability?
PolyShell is a flaw in Magento’s REST API file upload handling, discovered and named by the eCommerce security firm Sansec. The issue has existed since the earliest Magento 2 releases and impacts both Magento Open Source and Adobe Commerce installations.
The vulnerability allows attackers to upload a specially crafted “polyglot” file—a file that appears to be a harmless image but also contains executable code. Once uploaded, this file can act as a web shell, giving attackers remote access to the server without any login credentials.
2. How does the Magento PolyShell exploit work?
Malicious actors can use the PolyShell exploit to inject a malicious payload into vulnerable Magento stores. Once executed, the payload can create a backdoor, allowing attackers to run commands, modify files, or gain persistent access to the server.
3. Which Magento versions are affected by the PolyShell vulnerability?
Currently all versions of Magento 2 Open Source and Adobe Commerce are exposed to the vulnerability. Adobe has addressed the vulnerability in Magento 2.4.9 pre release branches, but no isolated patch is currently available for production versions such as 2.4.8 and below.
4. What are the risks of the Magento PolyShell vulnerability?
If exploited, the Magento PolyShell vulnerability can lead to several different types of security risks.
These include:
- Unauthorized admin access
- Unrestricted file uploads, including injecting malware
- Customer data breaches
- Theft of payment information
- Creating hidden backdoors for further access
- Full server compromise
5. How do I fix the Magento PolyShell vulnerability?
While no official fix has been released by Adobe, our developers have created a patch within our Enhanced Security module to keep our customers as secure as possible. Our security module is part of our Magento Maintenance program offering subscribers security optimization automatically, but CertiPro will be offering this module as an available option for Magento store owners for an added layer of protection.
Additional steps store owners should take are:
- Restrict web access to the pub/media/custom_options/ directory at the server level
- Review Nginx or Apache rules to ensure PHP execution is fully disabled in media directories
- Scan servers for existing web shells or suspicious files
- Harden REST API exposure and monitor for unusual cart or file upload activity
- Engage a Magento security specialist for a configuration audit
6. What are the signs that a Magento store has been compromised?
Some common signs that your Magento store has been compromised include:
- Unexpected admin users
- Unknown files in the server
- Changes to website content
- Suspicious outbound traffic
- Poor site performance or new redirects to spam pages
7. Why is Magento security critical for eCommerce businesses?
Magento stores handle sensitive customer and payment data. A single vulnerability like PolyShell can result in financial loss, legal exposure, and damage to brand reputation, making proactive security essential.
8. Do I need a Magento security expert to fix PolyShell?
Yes, we recommend working with expert Magento developers like our team at CertiPro. We can help identify hidden backdoors, ensure complete cleanup, and strengthen your store against future attacks.
Training and optimization available for current Sage software
