Thousands of Magento Sites Hit in Ongoing Defacement Campaign

Magento powers millions of online storefronts, making it a lucrative target for cybercriminals. The recent wave of defacements demonstrates how a long‑standing unauthenticated file‑upload flaw can be weaponized at scale, allowing attackers to drop plaintext messages on subdomains, staging environments, and even production sites. By publishing under a consistent handle, the group seeks notoriety while testing the resilience of widely used e‑commerce platforms, from community editions to Adobe Commerce B2B solutions.

Security researchers at Sansec have now highlighted a complementary weakness dubbed PolyShell, residing in the Magento REST API. This bug permits unauthenticated uploads of executable code and has existed since Magento 2’s inception. Although no active exploitation has been observed, the vulnerability’s public disclosure and the circulation of exploit code suggest an imminent rise in automated attacks. Organizations running versions prior to 2.4.9‑alpha2 should treat this as a critical priority, even as Adobe prepares a fix in the upcoming pre‑release branch.

For businesses, the dual‑front threat underscores the need for a layered defense strategy. Immediate actions include applying Adobe’s latest patches, restricting file‑system permissions, and monitoring upload directories for anomalous files. Longer‑term measures involve implementing Web Application Firewalls, conducting regular code reviews, and adopting secure development lifecycles to mitigate similar flaws. As e‑commerce continues to expand, maintaining robust security hygiene will be pivotal in safeguarding revenue streams and preserving consumer trust.