Executive summary
In October 2025, Adobe published security bulletin APSB25-94. Subsequent research published by Sansec on March 17, 2026, describes how the vulnerabilities in APSB25-94 can be used to achieve unauthenticated remote code execution (RCE). Sansec named this attack “PolyShell.”
The vulnerabilities allow for unauthenticated unrestricted file uploads which, under specific web server configurations, can result in an attacker being able to execute code on the server.
The vulnerabilities affect every production version of Magento Open Source and Adobe Commerce. Although Adobe is addressing this issue, many production environments remain at risk.
Akamai has proactively deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.
Vulnerability details
At the center of the issue is an unauthenticated file upload vulnerability within Magento's REST API. Specifically, the API accepts file uploads as part of the "cart item custom options." When a product option is set to the "file" type, Magento processes an embedded file_info object containing base64-encoded data.
The PolyShell attack works by bypassing Magento’s ImageContentValidator. Because the validator only checks if the file has a valid size and a standard image MIME type (like image/png), it fails to verify whether the file extension matches the content. Attackers can upload a "polyglot" file, a file that appears to the validator as a valid image but contains executable PHP code.
Please note: This vulnerability does not require authentication. An attacker only needs a Guest Cart ID and a product SKU (both easily obtainable) to execute the upload.
The vulnerability is present in the following versions of Magento Open Source and Adobe Commerce:
Vulnerable version(s) |
Fixed version |
|---|---|
2.4.8 and earlier |
2.4.9-alpha3 (partial; See Adobe advisory) |
2.4.9-alpha1 |
2.4.9-alpha3 |
2.4.9-alpha2 |
2.4.9-alpha3 |
Mitigation with Akamai App & API Protector
On March 27, 2026, Akamai deployed an Adaptive Security Engine Rapid Rule for App & API Protector customers to provide full coverage.
3000982 — Magento PolyShell (APSB25-94) Attack Detected
Summary
A new rule within Akamai App & API Protector has been deployed to protect our customers from the latest Magento threat. However, the most effective defense will always be to promptly apply the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.
The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.
Tags
