The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to include a significant security flaw impacting Mirasvit Cache Warmer, a widely-used extension for Magento’s full-page caching. This decision follows reports of the flaw’s active exploitation in various online environments.
Understanding the Magento RCE Vulnerability
Identified as CVE-2026-45247 with a critical CVSS score of 9.8, this vulnerability arises from the deserialization of untrusted data, which can be manipulated to execute arbitrary PHP code on vulnerable servers. According to CISA, unauthenticated attackers can leverage this flaw by inserting a specially crafted serialized PHP object into the CacheWarmer cookie.
This vulnerability affects all versions of the Mirasvit extension prior to 1.11.12. A patch addressing the issue was released on May 25, 2026, highlighting the urgency for users to update their systems.
Exploitation Details and Security Implications
The inclusion of CVE-2026-45247 in the KEV catalog was prompted by Sansec’s announcement that any storefront request with a crafted CacheWarmer cookie could exploit this vulnerability. The process involves PHP’s unserialize() function, which is executed without requiring authentication or administrative privileges.
Sansec further highlighted the potential for PHP object injection, which, when combined with existing Magento and dependency classes, can escalate to remote code execution. This discovery underscores the need for heightened vigilance among Magento users.
Current Exploitation Activities and Recommendations
Imperva, a security company owned by Thales, has reported observing malicious activities targeting CVE-2026-45247. The attacks involve serialized PHP object payloads delivered through harmful HTTP requests. These payloads are crafted to trigger object deserialization, ultimately allowing remote execution of arbitrary commands on affected servers.
The primary targets of these attacks are gaming and business websites, with countries like the United States, United Kingdom, France, and Australia being the most affected. Although the perpetrators remain unidentified, the goal appears to be identifying vulnerable Magento systems and verifying the possibility of remote code execution.
Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply the necessary patches by June 6, 2026, to mitigate exploitation risks. Website administrators are advised to scrutinize storefront requests for CacheWarmer cookies with values starting with “CacheWarmer:” followed by a Base64-encoded string, as these may signal exploitation attempts.
In summary, the addition of this Magento vulnerability to CISA’s KEV catalog emphasizes the critical need for patching and vigilant monitoring to protect against potential threats.
