Cyber Incident Victim: Fiat
Date:
Mar 2026
Location:
Italy
Summary
Overseven thousand Magento sites were hit in a mass defacement campaign that placed plaintext files bearing the attacker’s handle and occasional political messages on affected infrastructure. The threat actors are believed to be exploiting an unauthenticated file upload flaw in Magento Open Source, Adobe Commerce and related B2B deployments, a vulnerability that has existed since the first Magento 2 release and was patched only in a pre‑release branch. Victims included major brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota and Yamaha, mainly affecting subdomains, regional storefronts and staging environments with occasional brief defacements of production sites, as well as various government, university and nonprofit domains worldwide. Security researchers have named the flaw PolyShell and warn that exploit code is circulating, raising the prospect of automated attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Over three weeks before thearticle’s publication on 7 March 2026, a mass defacement campaign began that ultimately compromised more than 7,500 Magento installations and more than 15,000 hostnames worldwide. The campaign affected a range of global brands, including Fiat, with threat actors focusing on subdomains, regional storefronts, and staging environments, while also briefly defacing some production‑facing sites. Defacement was carried out by placing plaintext files on the compromised infrastructure; most of these files displayed the attacker’s handle, and on the single day of 7 March 2026 a subset contained political messages referencing recent geopolitical conflicts before disappearing again. The security firm Netcraft observed that the majority of incidents were logged in the defacement archive Zone‑H under the account “Typical Idiot Security,” which matched the handle appearing in the defacement files, indicating the actor’s effort to build a reputation.
Technical analysis pointed to an unauthenticated file upload vulnerability in the Magento REST API, later named PolyShell by Sansec, as the likely entry point exploited by the attackers. The flaw affects all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2 and could be used to upload executables without authentication, with potential for cross‑site scripting in releases prior to 2.3.5. The vulnerable code has existed since the initial Magento 2 release; Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, though no isolated patch was made available for current production versions at the time of reporting. Sansec noted that while active exploitation had not been observed in the wild, the exploit method was already circulating and automated attacks were anticipated.
In response to the campaign, Netcraft published its findings detailing the scale and nature of the defacements, and Sansec disclosed the PolyShell vulnerability, prompting Adobe to release a fix in the pre‑release branch. The defacement archive Zone‑H captured reports submitted via the “Typical Idiot Security” account, providing a record of the compromised hosts. For Fiat, the observed impact consisted of the appearance of defacement files on its subdomains, regional storefronts, and staging environments, with occasional brief defacement of production‑facing pages, all consistent with the broader pattern of the campaign. No further details about remediation steps taken by Fiat were provided in the source material.