Immediate hardening steps every Magento and Adobe Commerce store should take today to mitigate the PolyShell vulnerability, plus what JetRails is doing for its hosting clients.
JetRails’ internal patch for clients
JetRails has deployed an immediate server‑side infrastructure patch across all managed environments that blocks active exploitation of the PolyShell vulnerability, even on unpatched Magento/Adobe Commerce installations.
This is not a Magento application‑level patch; it is a protective layer that prevents compromised sites from being abused. JetRails is also conducting environment‑wide security audits to notify clients directly if signs of compromise are detected.
Clients should still treat PolyShell as a high‑risk, time‑sensitive vulnerability and plan for the upcoming Adobe patch, but JetRails has already hardened the infrastructure layer for managed environments.
Immediate hardening steps for everyone that you can do today
These steps apply to any Magento/Adobe Commerce store, regardless of hosting provider.
- Block direct web access to high‑risk upload paths, especially:
- pub/media/custom_options/
- pub/media/custom_options/quote/
Enforce this at the web server (Nginx/Apache), reverse proxy, or CDN level and validate that access is denied (e.g., test with 403/404, not 200).
- Ensure upload directories are non‑executable at the server level:
- Disable PHP handlers in <Directory> or location blocks covering pub/media/custom_options/, pub/media/import/, and similar paths.
- Avoid fastcgi_pass or script execution rules in those locations.
- Scan upload directories for signs of compromise:
- Check pub/media/custom_options/ and other media‑like upload paths for .php, .phtml, .php5, .inc, or other script‑like files.
- Hunt for webshells, obfuscated code, or unexpected artifacts and remove or quarantine anything suspicious.
- Tighten upload and REST‑API behavior:
- Enforce strict file‑type validation (e.g., images, PDFs) and reject scripts or other executable‑looking files.
- Limit or disable unnecessary REST endpoints tied to cart‑item or custom options unless they are strictly required.
These hardening measures should be treated as an essential security baseline for all stores.
Next steps: preparing for the Adobe patch
These steps also apply to any Magento/Adobe Commerce store.
- Confirm your current Magento/Adobe Commerce version and subscribe to Adobe’s security advisories so you can apply the official patch as soon as it becomes available.
- Prepare a patch‑readiness plan:
- Coordinate with your hosting partner, devs or agency to schedule the update and any required environment changes.
- Define a testing window to validate uploads, imports, custom options, and any third‑party integrations after patching.
- Re‑test critical flows post‑patch:
- Verify that file uploads, imports, and custom‑option behaviors still work as expected.
- Run a fresh security scan of pub/media/custom_options/ and related directories to confirm no artifacts were already present.
Ongoing collaboration between clients and JetRails
For JetRails-managed environments.
- JetRails can assist with environment‑level scans, and help validate that server‑level protections remain intact.
- We can coordinate with your developers or agency to:
- Re‑test uploads, imports, and custom‑option flows after the Adobe patch is applied.
- Tune WAF or edge rules to further reduce exposure to file‑upload‑based attacks.
- JetRails will continue to monitor and audit environments and contact clients directly if any indication of compromise is detected, providing a detailed assessment and remediation plan.
If you are a JetRails client and experience any issues, or have questions, please immediately contact our support team here.
