PolyShell exploitation reaches majority of vulnerable Magento installations; mass compromise already underway
Threat actors are actively exploiting the PolyShell vulnerability in Magento 2 and Adobe Commerce, with attacks targeting 56% of all vulnerable instances. This represents a widespread, in-the-wild exploitation campaign affecting a substantial portion of the e-commerce attack surface.
Affected
The PolyShell campaign represents one of the most successful mass-exploitation efforts against e-commerce infrastructure in recent memory, with threat actors achieving compromise on the majority of unpatched Magento 2 and Adobe Commerce instances. A 56% exploitation rate within the vulnerable population indicates that initial discovery and weaponisation occurred weeks or months before public disclosure, and that automated reconnaissance and payload delivery have been operating at scale for some time.
The technical vector, likely a remote code execution flaw in Magento's request handling or serialisation logic, provides attackers with direct shell access upon successful exploitation. This permits installation of web shells, credential harvesting, payment card interception, and persistent backdoors. The short timeline between effective exploitation and widespread adoption suggests either a low barrier to exploitation tooling or that public exploit code emerged rapidly after initial attacks were observed.
Organisations running Magento 2 stores without immediate patching capabilities face acute risk. The 56% figure is particularly concerning because it indicates that more than half of target organisations either lack vulnerability detection workflows, cannot apply patches quickly, or are unaware of the threat entirely. Attackers do not need sophisticated targeting; they can simply scan for vulnerable instances and deploy payloads en masse.
Defenders should treat this as a compromise-assessment scenario rather than a future risk mitigation problem. Any Magento 2 installation that remained unpatched during the exploitation window should be assumed to contain web shells and unauthorised access. Immediate actions include isolating systems, reviewing access logs, performing forensic analysis for backdoors, and checking transaction records for payment fraud. Organisations should also assume customer payment data, personal information, and administrative credentials may be exposed.
The broader lesson is that mass-market e-commerce platforms with large install bases present high-value targets for commodity exploitation. The 56% rate demonstrates that patch deployment speed is no longer the binding constraint; reconnaissance and exploitation speed now determine who gets compromised. Organisations unable to deploy critical patches within hours of release should reconsider their deployment model or shift to managed platforms with automatic patching.
Sources