PolyShell attacks target 56% of all vulnerable Magento

What Happened

A widespread attack campaign, dubbed “PolyShell,” is actively exploiting a critical vulnerability in Magento Open Source and Adobe Commerce (Magento 2) installations. According to recent intelligence, these attacks have successfully targeted 56% of all identified vulnerable stores, indicating a highly effective and automated exploitation effort. This campaign coincides with a broader, alarming trend highlighted by security researchers: the use of AI-powered agents to automate and scale cyber operations. A separate disclosure from Anthropic in September 2025 revealed a state-sponsored actor using an AI coding agent to autonomously run an espionage campaign, handling 80-90% of the attack lifecycle.

Why It Matters

This incident matters on two critical fronts. First, it demonstrates the immediate and severe risk to e-commerce platforms, where a single vulnerability can lead to mass compromise, data theft, and supply-chain attacks. With over half of vulnerable stores already breached, the operational and financial impact is significant. Second, and more strategically, the PolyShell campaign exemplifies the future of cyber threats. The parallel with the AI agent disclosure suggests attackers are moving toward automated, intelligent exploitation systems. This evolution renders traditional, manual kill-chain models increasingly obsolete, as AI can perform reconnaissance, vulnerability exploitation, and payload deployment at unprecedented speed and scale.

Technical Details

The PolyShell attacks exploit a specific, unpatched vulnerability within Magento 2. While a CVE identifier has not been formally assigned, the flaw allows for remote code execution (RCE), enabling attackers to upload and execute a malicious web shell-the “PolyShell”-on the server. This provides persistent backdoor access to the compromised store’s file system and database. The attack vector likely involves exploiting improper input validation or deserialization in a Magento component. The high success rate points to the use of automated scanners and exploit tools that systematically identify and compromise vulnerable instances across the internet.

Immediate Risk

The immediate risk is HIGH for any unpatched Magento 2 installation. With exploit activity already widespread, administrators must assume their store is a target. The primary consequences include complete server compromise, theft of customer payment data and personal information, defacement, and the installation of credit card skimmers. Organizations running Magento should treat this as an urgent patching and incident response priority. The lack of a CVE complicates mitigation, requiring vigilance for official patches or security advisories from Adobe and the Magento community.

Security Insight

This campaign is a stark reminder that vulnerability management must be proactive, not reactive. For Magento administrators, immediate action includes auditing installations, applying all available security patches, and using web application firewalls (WAFs) with virtual patching rules. More broadly, the security community must adapt to the AI-driven threat landscape. Defensive strategies should increasingly incorporate AI for threat hunting and anomaly detection to counter automated offensive tools. The era of purely human-paced attacks is ending; defense must accelerate accordingly.