A mass defacement campaign has hit over 7,500 Magento sites, placing plaintext defacement files across more than 15,000 hostnames and briefly affecting major brands, government services, universities, and some Trump Organization domains. Netcraft links the incidents to an unauthenticated file-upload vulnerability in Magento/Adobe Commerce while Sansec disclosed a REST API flaw named PolyShell that could allow unauthenticated executable uploads and warns exploit methods are circulating. #Magento #PolyShell
Keypoints
- Over 7,500 Magento sites were defaced, with plaintext files placed across more than 15,000 hostnames.
- Most defacements include the handle โTypical Idiot Securityโ and were reported to ZoneโH, implying reputation-seeking by the actor.
- Netcraft attributes the campaign to an unauthenticated file-upload vulnerability impacting Magento Open Source and Adobe Commerce and reproduced a test upload.
- Sansec named a separate REST API flaw PolyShell that allows unauthenticated executable uploads up to version 2.4.9-alpha2 and warned that automated attacks may follow.
- High-profile brands, regional government services, universities, non-profits, and some Trump Organization domains were affected, mainly on subdomains, regional storefronts, and staging sites.
Read More: https://www.securityweek.com/thousands-of-magento-sites-hit-in-ongoing-defacement-campaign/