嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。首先,我需要通读整篇文章,抓住主要信息。 文章主要讲的是针对Magento Open Source和Adobe Commerce版本2的PolyShell漏洞的攻击。黑客在漏洞公开后两天就开始大规模利用这个漏洞,影响了超过一半的易受攻击的商店。问题出在Magento的REST API上,允许上传多语言文件,从而实现远程代码执行或账户接管。Adobe已经发布了修复补丁,但还未应用到稳定版本。同时,研究人员还发现了一种新的支付卡窃取器,利用WebRTC技术来窃取数据。 接下来,我需要把这些关键点浓缩到100字以内。重点包括:PolyShell漏洞、攻击情况、受影响商店的比例、漏洞原因、修复进展以及新发现的攻击工具。 最后,确保语言简洁明了,不使用复杂的术语,并且直接描述内容。 </think> 针对Magento Open Source和Adobe Commerce 2.x版本的PolyShell漏洞攻击正在展开,已影响超半数易受攻击的商店。该漏洞源于REST API文件上传功能,可致远程代码执行或账户接管。Adobe已发布修复补丁但尚未稳定版应用。研究人员还发现新型WebRTC支付卡窃取器利用此漏洞进行攻击。 2026-3-25 21:45:18 Author: www.bleepingcomputer.com(查看原文) 阅读量:4 收藏
Attacks leveraging the ‘PolyShell’ vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores.
According to eCommerce security company Sansec, hackers started exploiting the critical PolyShell issue en masse last week, just two days after public disclosure.
“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec says.
The researchers previously reported that the problem lies in Magento’s REST API, which accepts file uploads as part of the custom options for the cart item, allowing polyglot files to achieve remote code execution or account takeover via stored cross-site scripting (XSS), if the web server configuration allows it.
Adobe released a fix in version 2.4.9-beta1 on March 10, 2026, but it has not yet reached the stable branch. BleepingComputer previously contacted Adobe to ask about when a security update addressing PolyShell will become available for production versions, but we have not received a response.
Meanwhile, Sansec has published a list of IP addresses that target scanning for web stores vulnerable to PolyShell.
WebRTC skimmer
Sansec reports that in some of the attacks suspected to exploit PolyShell, the threat actor delivers a novel payment card skimmer that uses Web Real-Time Communication (WebRTC) to exfiltrates data.
WebRTC uses DTLS-encrypted UDP rather than HTTP, so it is more likely to evade security controls even on sites with strict Content Security Policy (CSP) controls like "connect-src."
The skimmer is a lightweight JavaScript loader that connects to a hardcoded command-and-control (C2) server via WebRTC, bypassing normal signaling by embedding a forged SDP exchange.
It receives a second-stage payload over the encrypted channel, then executes it while bypassing CSP, primarily by reusing an existing script nonce, or falling back to unsafe-eval or direct script injection. Execution is delayed using ‘requestIdleCallback’ to reduce detection.
Sansec noted that this skimmer was detected on the e-commerce website of a car maker valued at over $100 billion, which did not respond to their notifications.
The researchers provide a set of indicators of compromise that can help defenders protect against these attacks.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
如有侵权请联系:admin#unsafe.sh