A recent mass defacement campaign has affected over 7,500 Magento sites, according to Netcraft. The attackers have been uploading defacement files directly onto the affected infrastructure, impacting more than 15,000 hostnames with political messages and attacker handles visible on some sites. This campaign is likely exploiting an unauthenticated file upload vulnerability in multiple versions of Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. The vulnerability has been observed to affect global brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, Yamaha, regional government services, university domains in Latin America and Qatar, and international non-profit organizations. Additionally, Sansec reported a new flaw named PolyShell, which impacts the REST API of Magento and Adobe Commerce up to version 2.4.9-alpha2, allowing unauthenticated uploads and XSS attacks.
- Magento Open Source (Community Edition)
- Magento Enterprise / Adobe Commerce
- Adobe Commerce deployments with Magento B2B
- Upgrade to the latest version of Magento or Adobe Commerce, specifically version 2.4.9-alpha2 or later.
- Review and secure any upload directories by setting appropriate permissions and access controls.
- Implement web application firewalls (WAF) to filter out malicious requests targeting the REST API endpoints.
The impact on common homelab stacks using Magento versions up to 2.4.9-alpha2 is significant, as these systems are exposed to unauthenticated file uploads and XSS attacks. This vulnerability affects the /upload directory and the REST API endpoints.