More than 7,500 Magento sites have fallen victim to a widespread defacement campaign that initiated three weeks ago, as reported by a digital risk protection platform.

The attacks involved the deployment of defacement files directly onto the affected infrastructures, appearing as plaintext files across over 15,000 hostnames.

Most of the text files observed included handles of the attackers, while a small number contained political messages alluding to recent geopolitical tensions.

According to the reports, these political messages were only visible for a single day, specifically on March 7, 2026, and did not appear in prior or subsequent defacements, indicating that political motives were not the primary goal of the attack.

The security firm highlights that the majority of the defacement incidents were reported to the defacement archive using the account 'Typical Idiot Security', which also features in the messages left by the attackers, suggesting a desire to establish a reputation.

It appears that the attackers are exploiting an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise/Adobe Commerce, and Adobe Commerce installations with Magento B2B capabilities.

Furthermore, the findings indicate similarities to attacks carried out in October 2025, which utilized the SessionReaper flaw. The security experts successfully exploited the latest version of Magento Community to upload a text file to a test instance.

This campaign has impacted notable global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha, primarily targeting subdomains, regional storefronts, and staging environments, although some production-facing sites were briefly defaced.

Additionally, several regional government services, university domains in Latin America and Qatar, as well as international non-profit organizations, have also been affected, including various domains linked to the Trump Organization.

PolyShell Vulnerability

The emergence of this defacement campaign coincides with reports from a security firm about a new vulnerability in the REST API of Magento and Adobe Commerce. This flaw allows for the upload of executables to any store without requiring authentication.

The issue impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 and could be exploited for Cross-Site Scripting (XSS) attacks in all versions prior to 2.3.5.

Notably, the vulnerable code has existed since the very first release of Magento 2. Adobe has addressed it in the 2.4.9 pre-release branch as part of a security advisory; however, there is no isolated patch available for current production versions.

The security firm has dubbed this vulnerability 'PolyShell', noting that many sites expose files within the upload directory, although they have not observed any active exploitation thus far.

Despite the lack of observed exploitation, the firm reports that the method of exploitation is already circulating, and there are expectations for automated attacks to emerge soon.

Related News: There are ongoing concerns about various cyber threats, including a campaign targeting VPN users for credential theft, and another involving hundreds of Salesforce customers in a data theft scheme.

The cybersecurity landscape remains vigilant as more vulnerabilities and exploits come to light, highlighting the ongoing risks faced by organizations reliant on Magento and similar platforms.

Source: SecurityWeek News