CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated remote code execution flaw in Magento and Adobe Commerce via PolyShell polyglot uploads

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Since mid-March 2026, a critical unauthenticated remote code execution flaw named PolyShell has affected all supported versions of Magento Open Source and Adobe Commerce (version 2), enabling attackers to upload polyglot files via the REST API and achieve code execution. Adobe has only released a patch in the alpha release of version 2.4.9, leaving production deployments vulnerable. Exploitation is now actively occurring in the wild, with mass scanning activity since March 19, 2026, and successful compromises detected in 56.7% of all vulnerable stores. A new wave of attacks injects a 1x1-pixel SVG element with an onload handler containing a base64-encoded skimmer payload, executed via setTimeout to avoid detection. The malware intercepts checkout clicks, displays a fake 'Secure Checkout' overlay with card and billing fields, and validates payment data in real time using the Luhn algorithm. Stolen data is exfiltrated to six exfiltration domains hosted at IncogNet LLC in the Netherlands via XOR-encrypted, base64-obfuscated JSON. Indicators of compromise include the _mgx_cv key in browser localStorage and requests to /fb_metrics.php. Adobe has not yet released a production patch, and sixteen exfiltration domains and IP address 23.137.249.67 are now associated with these attacks.

Timeline

  1. 19.03.2026 22:01 3 articles · 21d ago

    PolyShell vulnerability disclosed in Magento and Adobe Commerce leading to unauthenticated RCE and XSS

    All supported versions of Magento Open Source and Adobe Commerce (version 2) are affected by an unauthenticated file upload flaw in the REST API custom options, enabling polyglot file execution. Adobe’s patch is currently available only in the alpha release of version 2.4.9, leaving production environments vulnerable. Attackers can upload malicious polyglot files to pub/media/custom_options/quote/ which, depending on web server configuration, may result in remote code execution or stored cross-site scripting. Public exploit methods are circulating, and widespread automated attacks are anticipated. Mass exploitation is now underway, with over 50 IP addresses scanning for vulnerable targets since March 19, 2026; compromises have been observed in 56.7% of vulnerable stores. The latest campaign injects a 1x1-pixel SVG element with an onload handler containing a base64-encoded skimmer payload, executed via setTimeout to avoid detection. When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake 'Secure Checkout' overlay that includes card details fields and a billing form. Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to six exfiltration domains hosted at IncogNet LLC (AS40663) in the Netherlands, each getting data from 10 to 15 confirmed victims. Indicators of compromise include the _mgx_cv key in browser localStorage and requests to /fb_metrics.php. Adobe has still not released a production patch as of April 8, 2026, with fixes only available in version 2.4.9-alpha3+.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Magecart skimmer leverages favicon EXIF steganography in web supply chain attack chain

A recently observed Magecart skimmer employs a three-stage loader chain that conceals its malicious payload within the EXIF metadata of a dynamically loaded favicon, executing entirely in the browser during checkout without ever residing in the merchant’s source code or repository. The attack abuses third-party CDN-hosted resources (legitimate-looking favicon paths) and leverages JavaScript obfuscation and dynamic script injection to retrieve and decode the payload from binary image data. Stolen payment data is exfiltrated directly from the victim’s browser to attacker-controlled infrastructure. This campaign highlights the operational blind spot of repository-centric static analysis tools, which cannot detect threats injected into third-party assets or embedded in runtime-executed binary metadata. The technique underscores the need for continuous client-side runtime monitoring as a critical control layer for web supply chain attacks.

Open in new tab

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab

Client-Side JavaScript Security Gaps Exploited During Holiday Shopping Seasons

Unmonitored JavaScript in client-side environments poses a significant security risk, especially during the holiday shopping season. Attackers exploit these gaps to steal payment data, bypassing traditional security measures like WAFs and intrusion detection systems. The 2024 holiday season saw major attacks, including the Polyfill.io breach affecting over 500,000 websites and the Cisco Magecart attack targeting holiday shoppers. These incidents highlight the need for enhanced client-side security measures to protect against data theft and unauthorized script execution. The holiday season amplifies risks due to increased attack motivation, code freeze periods, third-party dependencies, and resource constraints. Effective client-side security involves deploying Content Security Policy (CSP), implementing Subresource Integrity (SRI), conducting regular script audits, and using client-side monitoring tools. Organizations must adapt their security strategies to include comprehensive monitoring and protection of the client environment to safeguard against these evolving threats.

Open in new tab

Stripe iframe skimmer campaign exploits payment iframes

A sophisticated skimmer campaign targeting Stripe payment iframes has compromised 49 merchants. Attackers use malicious overlays to bypass security policies and steal credit card data. The campaign exploits vulnerabilities in the host page, highlighting the risks of third-party scripts and outdated security measures. The attack leverages deprecated APIs and injects malicious JavaScript through platforms like WordPress. It demonstrates the need for real-time monitoring and updated security policies to protect payment iframes. The campaign underscores the importance of securing the entire payment page, as mandated by PCI DSS 4.0.1. Organizations must implement strict CSP, advanced iframe monitoring, and secure postMessage handling to mitigate these risks.

Open in new tab

Active exploitation of critical SessionReaper flaw in Adobe Commerce and Magento Open Source

Adobe Commerce and Magento Open Source platforms are under active exploitation by hackers targeting the critical SessionReaper vulnerability (CVE-2025-54236). The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Despite the patch, hundreds of exploitation attempts have been recorded, with many stores remaining unpatched. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module. Over 250 Magento stores were hit overnight as hackers exploited the flaw, with attacks originating from five specific IP addresses. The attacks involved dropping PHP webshells or probing phpinfo to extract PHP configuration information. Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours.

Open in new tab