Critical 'PolyShell' Vulnerability Imperils Adobe Commerce and Magento Open Source Installations
A newly discovered vulnerability, dubbed 'PolyShell,' poses a significant threat to **Adobe Commerce** and **Magento Open Source** version 2 installations. The flaw allows for unauthenticated remote code execution (RCE) and potential account takeover. While currently there are no confirmed instances of active exploitation, security experts anticipate imminent attacks.
### The 'PolyShell' Threat
The 'PolyShell' vulnerability affects all stable version 2 installations of both **Magento Open Source** and **Adobe Commerce**. According to **Sansec**, an eCommerce security firm, the exploit method is already circulating, raising concerns about a surge in automated attacks.
### Limited Patch Availability
Currently, a fix from **Adobe** is only available in the second alpha release for version 2.4.9. This leaves production versions vulnerable. **Sansec** notes that **Adobe** provides a "sample web server configuration that would largely limit the fallout," but many stores rely on configurations from their hosting providers.
### Root Cause Analysis
According to a recent **Sansec** report, the security issue stems from **Magento's** REST API, which accepts file uploads as part of the custom options for the cart item.
"When a product option has type 'file', **Magento** processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file is written to pub/media/custom_options/quote/ on the server," the researchers explained.
### Polyglot File Exploitation
**Sansec** named the vulnerability βPolyShellβ because it leverages a polyglot file that can function as both an image and a script, adding to the complexity of detection.
### Potential Impact: RCE and Account Takeover
Depending on the web server configuration, the flaw can lead to remote code execution (RCE) or account takeover via stored XSS, impacting a significant number of stores analyzed by **Sansec**.
"**Sansec** investigated all known **Magento** and **Adobe Commerce** stores and found that many stores expose files in the upload directory."
### Recommended Mitigation Steps
Until **Adobe** releases a patch for production versions, store administrators are advised to take the following immediate actions:
* Restrict access to `pub/media/custom_options/`
* Verify that Nginx or Apache rules effectively prevent access to this directory.
* Scan stores for uploaded shells, backdoors, or other malware.
BleepingComputer has reached out to **Adobe** for comment regarding the timeline for a security update addressing PolyShell but has not yet received a response.