The United States Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent call on Wednesday for federal agencies to address a critical vulnerability in the Mirasvit Full Page Cache Warmer for Magento 2. This security flaw has been actively exploited to perform remote code execution (RCE) on affected servers.
Understanding the Vulnerability
The Mirasvit Cache Warmer is designed to monitor and update page cache statuses, enhancing loading times and search engine performance. However, a severe flaw, identified as CVE-2026-45247 with a CVSS score of 9.8, allows for remote PHP object injection. This can be exploited without authentication to execute arbitrary commands on Magento and Adobe Commerce platforms.
Attackers can manipulate this vulnerability by injecting malicious serialized PHP objects into the CacheWarmer cookie. These objects are then improperly deserialized, allowing for unauthorized code execution. Security firm Sansec highlights that this vulnerability could affect thousands of Magento and Adobe Commerce stores using outdated versions of the Cache Warmer extension.
Immediate Actions and Recommendations
CVE-2026-45247 was made public on May 26, with exploitation by threat actors occurring shortly thereafter. CISA has now included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches within three days as per the Binding Operational Directive 22-01.
While this directive is mandatory for federal entities, all organizations using the Mirasvit Cache Warmer are strongly advised to update to version 1.11.12 or later. These updates contain essential patches to neutralize the identified threat.
Detection and Future Precautions
Sansec outlines a method for administrators to detect potential compromises. By monitoring storefront requests for a CacheWarmer cookie containing the marker ‘CacheWarmer:’ followed by a base64 string, organizations can identify exploitation attempts. Specifically, serialized PHP objects encoded in base64 that start with ‘Tz’, ‘Qz’, or ‘YT’ indicate a strong likelihood of such attempts.
Ensuring that systems are updated and monitored can significantly reduce the risk of exploitation. Both federal and private organizations should prioritize these security updates to safeguard their digital infrastructures.
In related news, other vulnerabilities have been highlighted, such as issues in WordPress plugins and Android zero-days, underscoring the importance of maintaining robust cybersecurity practices.
