Attackers began mass exploiting the PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2 shortly after public disclosure, with Sansec reporting attacks on 56.7% of vulnerable stores. Some incidents deliver a novel WebRTC-based payment skimmer that exfiltrates card data over DTLS/UDP to bypass CSP and evade detection, while Adobe’s fix remains only in the 2.4.9-beta1 release and Sansec has published IoCs and attacker IPs. #PolyShell #Magento
Keypoints
- Mass exploitation of the PolyShell flaw began on March 19 and affects 56.7% of vulnerable Magento stores.
- The vulnerability resides in Magento’s REST API allowing file uploads as custom cart options that enable polyglot files to achieve RCE or account takeover via stored XSS if server config permits.
- Adobe released a patch in version 2.4.9-beta1 on March 10, but a stable production update has not yet been issued.
- Attackers deploy a WebRTC-based JavaScript skimmer that uses DTLS-encrypted UDP and forged SDP signaling to bypass CSP and exfiltrate payment card data.
- Sansec published attacker IPs and indicators of compromise, and the skimmer was observed on a major automaker’s e-commerce site that did not respond to notifications.