CVE-2024-34102: PolyShell Exploits Target 56% of Magento Stores

A high-intensity campaign is currently targeting e-commerce platforms using a sophisticated TTP dubbed “PolyShell.” According to Bleeping Computer, security researchers at Sansec have identified that 56% of all vulnerable Magento installations have already been targeted by this specific attack vector. The campaign exploits a critical vulnerability known as CosmicSting, tracked as CVE-2024-34102, which allows for unauthorized access and control over affected servers.

Technical Analysis of CVE-2024-34102 and CosmicSting

CosmicSting is an Improper Restriction of XML External Entity Reference (XXE) vulnerability. When successfully exploited, it allows an unauthenticated attacker to read arbitrary files from the server’s filesystem. This is particularly dangerous for Magento environments because it enables the theft of the env.php file. This file contains the store’s unique encryption key (crypt/key), which is used to generate and validate authorization tokens.

Once an attacker possesses this key, they can bypass standard authentication mechanisms to perform administrative actions. This typically leads to a full RCE chain, allowing for the deployment of malicious scripts, database manipulation, or the installation of persistent backdoors. The severity of this CVE is reflected in its CVSS score of 9.8, categorizing it as critical. Security teams should prioritize learning how to detect CVE-2024-34102 exploit attempts by monitoring for unusual XML payloads directed at the Magento REST or GraphQL APIs.

Understanding the PolyShell TTP

The “PolyShell” campaign is named after the use of polyglot web shells. A polyglot file is a single file that is valid across multiple different file formats. In these attacks, threat actors often disguise PHP code within image files (such as JPG or GIF) or other seemingly benign assets. This technique is designed to evade security tools like EDR or traditional file scanners that might only look for specific file extensions or signatures.

By leveraging the administrative access gained through CosmicSting, attackers inject these polyglot shells into the Magento environment. Once the shell is active, it provides a persistent C2 channel, allowing the attacker to execute commands, exfiltrate customer payment data, or facilitate Lateral Movement within the network. Sansec reports that the automation level of these attacks is extremely high, contributing to the rapid compromise of over half the vulnerable landscape.

Detecting PolyShell Magento Attacks and Remediation

Detecting PolyShell Magento attacks requires a multi-layered approach. Because the initial stage involves stealing sensitive configuration files, SOC analysts should review access logs for unauthorized access to /app/etc/env.php. Furthermore, defenders should utilize a SIEM to correlate API requests that include suspicious XML structures with subsequent administrative log-ins from unfamiliar IP addresses.

Adobe Commerce 2.4.7 Patch Guidance

The primary defense against this threat is updating to a secure version of the software. Adobe has released security updates addressing the flaw. Organizations should follow the Adobe Commerce 2.4.7 patch guidance or the equivalent for their specific version (e.g., 2.4.6-p6, 2.4.5-p8, or 2.4.4-p9).

However, patching alone is insufficient if the system has already been compromised. If the encryption key was stolen before the patch was applied, the attacker still maintains the ability to access the store. Consequently, the most vital remediation step is rotating the encryption key after applying the security update. This process invalidates any session tokens or administrative access previously generated by the attacker. Additionally, security professionals should audit the cms_block and cms_page tables for any unauthorized JavaScript or PHP injections that may have been placed during the window of vulnerability.