PolyShell Vulnerability Is Being Mass Exploited
PolyShell is a newly discovered vulnerability affecting certain Magento Open Source and Adobe Commerce installations. It impacts stable version 2 installations and allows threat actors to execute malicious code without authentication and take over user accounts.
Adobe issued a patch, but the fix was only available in the second alpha release for version 2.4.9. That left production versions exposed.
Researchers had already warned that an exploit method was circulating, even though there was initially no evidence of active abuse. That situation has now changed.
More Than Half of Vulnerable Stores Are Being Targeted
Researchers say PolyShell is now being used at scale against online stores. According to Sansec, mass exploitation began on March 19, and attacks were found on 56.7% of all vulnerable stores.
No raw number of affected sites was provided, but the scale of targeting points to a widespread campaign against exposed ecommerce environments.
What the Attacks Allow
The vulnerability gives attackers a path to run malicious code without authentication. From there, they can compromise accounts and deploy additional malicious tools on targeted stores.
That makes the issue especially serious for ecommerce operators, where compromised systems can expose both administrative control and payment-related activity.
A New WebRTC-Based Credit Card Skimmer Is Being Deployed
In some of these attacks, threat actors are installing a previously unseen credit card skimmer. The skimmer uses Web Real-Time Communication, or WebRTC, to exfiltrate data.
This stands out because WebRTC uses DTLS-encrypted UDP instead of HTTP. That makes the traffic more difficult for some security controls to detect or block, including sites with strict Content Security Policy settings such as connect-src.
How the Skimmer Works
The skimmer is built in JavaScript and connects to a hardcoded command-and-control server. From that server, it receives a second-stage payload.
This approach gives attackers a way to move stolen data through a channel that can better evade common monitoring and filtering methods.
High-Value Ecommerce Sites Have Already Been Hit
The skimmer was first spotted on an ecommerce website belonging to a carmaker valued at over $100 billion.
That detail suggests attackers are not limiting their efforts to small or obscure targets. The campaign is reaching high-value ecommerce environments as well.
Recommended Defensive Steps for Website Admins
Researchers previously advised website administrators to take several immediate steps to reduce risk on vulnerable stores:
- Restrict access to
pub/media/custom_options/folders - Verify that nginx or Apache rules block that access properly
- Scan stores for uploaded malware
- Check for backdoors
These measures were recommended while production versions remained vulnerable and exploit activity was beginning to circulate.
Why PolyShell Is a Serious Ecommerce Threat
PolyShell combines several dangerous elements in one attack chain: unauthenticated malicious code execution, account takeover, and the ability to deploy a stealthier payment skimmer.
For ecommerce stores, that means the risk is not only system compromise but also payment data theft through a method designed to slip past conventional web-focused controls.