In October 2025 Adobe published a bug report APSB25-94 for Magento.

We have been been made aware this bug has been used to actively exploit Magento based sites. It does not require any form of authentication. On vulnerable systems an agent can upload and use files with exploit payloads to gain remote code execution. A breakdown of the RCE can be found at https://sansec.io/research/magento-polyshell

Adobe has included a fix in their 2.4.9 beta branch, but as of 22 May 2026 has not released that to any stable branches.

We recomend keeping Magento instances (and any web application) up to date with the latest stable release.

Additional mitigations:

Ensure you have appropriate webserver protections against unintended access and operations for vulnerable parts of magento, especially the media and uploads folders, for example by disabling script exection on those.

Audit your pub/media/custom_options and subfolders for existing unverified scripts or images embedded with executable PHP tags

Consider using a plugin that helps protect your magento instance, for example this community provided option - https://github.com/aregowe/magento2-module-polyshell-protection

Exact solutions may be dependant on your specific setup, If you have questions, please reach out to our support team for assistance at https://rimuhosting.com/contact.jsp