Listen to this Post
A Critical Moment for eCommerce Security
A newly disclosed vulnerability known as “PolyShell” is rapidly escalating into a widespread security crisis across the eCommerce ecosystem. Within days of public disclosure, attackers began exploiting the flaw at scale, putting thousands of online stores at risk. The situation highlights a growing gap between vulnerability disclosure and real-world patch deployment, where attackers often move faster than defenders.
Rapid Exploitation Across Magento Stores
Attacks targeting the PolyShell vulnerability in Magento Open Source and Adobe Commerce installations have intensified dramatically. Security researchers report that exploitation began just two days after the vulnerability became public, indicating how closely threat actors monitor new disclosures.
Within a week, over 56 percent of all vulnerable stores had already been targeted. This rapid adoption of the exploit demonstrates a highly organized and automated attack landscape, where scanning tools and exploit kits are deployed almost immediately after vulnerabilities are revealed.
The flaw resides in Magento’s REST API, specifically in how it handles file uploads within custom cart options. This mechanism allows attackers to upload specially crafted polyglot files. These files can bypass traditional validation checks and enable remote code execution or stored cross site scripting attacks.
If successfully exploited, attackers can gain deep control over the affected system. This includes injecting malicious scripts, stealing user data, or even taking over administrative accounts, depending on server configuration and security posture.
Delayed Patch Availability Increases Risk
Although a fix was introduced in version 2.4.9 beta1 on March 10, 2026, it has not yet been released in a stable production version. This delay leaves a significant number of merchants exposed, especially those who rely on stable branches for operational consistency.
The absence of an immediate production ready patch creates a dangerous window where attackers can operate freely. Many organizations hesitate to deploy beta updates in live environments, further prolonging their exposure to active threats.
Security researchers have also identified a set of IP addresses actively scanning for vulnerable Magento installations. This suggests coordinated reconnaissance efforts designed to identify and exploit targets at scale.
Emergence of a WebRTC-Based Skimmer
In parallel with PolyShell exploitation, researchers have uncovered a new type of payment card skimmer being deployed in some attacks. This skimmer introduces a novel technique by leveraging Web Real Time Communication, or WebRTC, for data exfiltration.
Unlike traditional skimmers that rely on HTTP requests, this method uses encrypted UDP traffic through DTLS. This allows it to bypass many common security controls, including strict Content Security Policy rules that typically restrict outbound connections.
The skimmer operates as a lightweight JavaScript loader. It connects to a command and control server using a forged session description protocol exchange, effectively bypassing normal WebRTC signaling mechanisms.
Once connected, it receives a second stage payload through the encrypted channel. The malware then executes while avoiding detection by reusing existing script nonces or falling back to unsafe execution methods. It even delays execution using browser idle callbacks to reduce the likelihood of being flagged by security tools.
High-Profile Target Already Affected
One of the most concerning revelations is that this advanced skimmer has already been detected on the website of a major automotive company valued at over 100 billion dollars. Despite being notified, the company reportedly did not respond to the findings.
This incident underscores the reality that even well funded organizations with significant resources can fall victim to sophisticated attacks, especially when vulnerabilities are exploited rapidly and stealthily.
Indicators of Compromise Released
To assist defenders, researchers have published a set of indicators of compromise. These include suspicious IP addresses, unusual WebRTC connections, and patterns associated with the skimmer’s behavior.
Organizations are strongly encouraged to monitor their systems for these indicators and take immediate action if any anomalies are detected.
What Undercode Say:
A New Era of Exploitation Speed
The PolyShell incident reinforces a critical truth in cybersecurity. The time between vulnerability disclosure and exploitation is shrinking at an alarming rate. Attackers are no longer reactive. They are predictive and automated, ready to weaponize flaws almost instantly.
The Risk of Beta-Only Fixes
Releasing a fix only in a beta version creates a dangerous gap. While technically a patch exists, it is not practical for most businesses to deploy it. This highlights a structural issue in software release cycles where security urgency does not align with production readiness.
WebRTC as an Attack Vector
The use of WebRTC for data exfiltration marks a significant evolution in skimming techniques. Traditional defenses are built around HTTP traffic monitoring, leaving protocols like WebRTC less scrutinized. Attackers are clearly shifting toward less monitored channels.
Bypassing Modern Security Controls
Content Security Policy has long been considered a strong defense against script injection. However, the reuse of script nonces and fallback execution techniques show that even well configured CSP rules can be bypassed under certain conditions.
Automation and Scale of Attacks
The fact that more than half of vulnerable stores were targeted within days indicates heavy automation. Attackers are likely using bots to scan, exploit, and deploy payloads without human intervention, dramatically increasing their reach.
The Silent Nature of Modern Skimmers
Unlike older skimmers that generated visible anomalies, this new variant operates quietly. By delaying execution and using encrypted channels, it minimizes its footprint and avoids triggering alerts.
Lack of Organizational Response
The reported lack of response from a major company raises concerns about incident response readiness. Detection alone is not enough. Organizations must act quickly when credible threats are identified.
Supply Chain Implications
Magento powers a large portion of global eCommerce. A vulnerability of this scale does not just affect individual stores but can ripple across supply chains, impacting customers, payment processors, and partners.
The Growing Complexity of Defense
Defending against such attacks now requires visibility into multiple layers, including APIs, browser behavior, and network protocols. Traditional perimeter defenses are no longer sufficient.
The Need for Proactive Monitoring
Waiting for patches is no longer a viable strategy. Organizations must adopt proactive monitoring, anomaly detection, and rapid response mechanisms to stay ahead of attackers.
Fact Checker Results
✅ PolyShell exploitation began within days of disclosure and affected over half of vulnerable stores
✅ The vulnerability enables remote code execution and cross site scripting through file upload abuse
❌ No confirmed public timeline yet for a stable production patch release
Prediction
The PolyShell incident will accelerate the adoption of real time threat detection systems across eCommerce platforms. 🚨
More attackers will begin experimenting with WebRTC and other non traditional protocols for stealthy data exfiltration. 🔐
Vendors will face increasing pressure to release emergency patches faster, even outside standard release cycles. ⚡
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
