Attacks on Magento (Adobe Commerce) shops are on the rise. In the past few weeks we noticed significant traffic increase on hosted Magento stores. Unfortunately this wasn't real visitor traffic, this was bot traffic probing all kinds of online shops running Magento for their versions... and vulnerabilities!
The following screenshot from our actual monitoring of a specific customer shop shows the probing seems to have started at the beginning of March (March 5th 2026) and then really took off on March 9th with multiple probes per day.
What is behind all this?
There are currently two critical vulnerabilities actively being exploited.
The first vulnerability is the "SessionReaper" vulnerability, CVE-2025-54236. It is a vulnerability in Magento / Adobe Commerce that can be abused to achieve session takeover and in some cases unauthenticated remote code execution (RCE). Adobe's Security Bulletin APSB25-88 describes the vulnerability as Critical and Priority 1.
A patch/hotfix was released in September 2025. Newer released of Magento / Adobe Commerce include the fix. Since (latest) October 2025 there is proof of a public exploit, that can be used to attack Magento installations.
Vulnerable releases are:
The solution for SessionReaper? Patch or update the Magento installation.
The second vulnerability is "PolyShell" and this one is very new (no known CVE assigned) - and there is no fix yet. Only a pre-release of the 2.4.9 branch currently contains a fix. Attackers can abuse a vulnerability in Magento's REST API to upload fake image files, that contain code and can be executed (RCE).
Such an "image" would look like this:
Known vulnerable releases are:
As there is no patch for PolyShell yet, only a mitigation on the web server or through a WAF (Web Application Firewall) can help.
On our own infrastructure we have immediately adjusted the customer servers which run Magento stores. We adjusted the Nginx configuration to block public access to files in the /media/customer_address and /media/custom_options paths. These are the locations that could contain malicious files, uploaded through the vulnerability.
Is this an isolated incident? No, it is not! As we've seen on multiple Magento stores worldwide, the probes and the actual attacks have increased significantly in the past 2-3 weeks.
Magento Administrators be aware and patch your Adobe Commerce / Magento store right now. To protect your store against the new PolyShell attacks, it's best to reach out to your web hoster to apply a mitigation.
At Infiniroot we've been hosting Magento E-Commerce installations since 2013. Our customized and dedicated servers, specifically tuned for Magento and Adobe Commerce installations, are built with enhanced security based on our PCI-DSS experience. Additional services, such as Web Application Firewalls (WAF) and advanced monitoring, help to protect your Magento / Adobe Commerce installation. Get in touch with us, to find out more.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PHP Perl Personal PostgreSQL PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder