A critical security vulnerability dubbed PolyShell has been discovered in Magento's REST API that allows unauthenticated attackers to upload arbitrary executables and achieve remote code execution. The flaw was identified and named by security firm Sansec, who warns it could enable complete account takeover of affected e-commerce platforms.

The vulnerability affects Magento's REST API and allows attackers to bypass authentication mechanisms entirely. The attack vector involves disguising malicious code as image files, which can then be uploaded to vulnerable systems without proper validation or security controls.

The technical exploitation method centers on the ability to upload executables that appear as legitimate image files to the system. This polyglot approach allows attackers to circumvent file type restrictions and security filters that would normally block executable uploads. Once uploaded, the malicious code can be executed on the target server.

Currently, there is no evidence that the vulnerability has been actively exploited in the wild, according to Sansec's initial assessment. The security firm has not yet disclosed specific patch availability or mitigation timelines, though organizations running Magento should monitor for updates from Adobe regarding fixes for this critical flaw.

The discovery highlights ongoing security challenges facing e-commerce platforms, particularly around file upload mechanisms and API security controls that can be exploited to achieve full system compromise.