On June 3, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added vulnerability CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being actively exploited. The vulnerability affects Mirasvit Full Page Cache Warmer—a popular page-caching extension for the Magento platform—and has been assigned a CVSS score of 9.8 out of 10, which is classified as critical. The issue allows an unauthenticated attacker to execute arbitrary PHP code on the server via a specially crafted cookie. All Magento store owners with the Mirasvit Cache Warmer extension installed must immediately update to version 1.11.12 or later.
Vulnerability mechanism
According to the CISA description, CVE-2026-45247 is an insecure deserialization of untrusted data vulnerability (CWE-502). The Mirasvit Full Page Cache Warmer extension processes a cookie named CacheWarmer, which is sent with regular requests to the store’s storefront. Part of the value of this cookie is passed into the native PHP function unserialize() without any validation or sanitization of the input data.
According to researchers from the Dutch company Sansec, who published a technical analysis of the vulnerability, since the cookie value is fully controlled by the client, an attacker can inject arbitrary PHP objects—a classic PHP Object Injection attack. Combined with gadget chains that already exist in the Magento codebase and its dependencies, the object injection escalates into full-fledged remote code execution (RCE).
Key characteristics of the vulnerability:
- CVE ID: CVE-2026-45247
- CVSS: 9.8 (critical)
- Affected versions: all versions of Mirasvit Full Page Cache Warmer prior to 1.11.12
- Attack vector: network, unauthenticated, via an HTTP request with a malicious cookie
- Patch: according to available information, released on May 25, 2026 (version 1.11.12)
Crucially, exploitation does not require authentication or administrative privileges—sending any request to the store’s storefront with a crafted cookie is sufficient. This makes the vulnerability trivially exploitable and extremely dangerous for any publicly accessible Magento store with the extension installed.
Observed exploitation activity
Imperva (owned by Thales) has reported observing real-world attacks leveraging CVE-2026-45247. According to the company, the observed payloads contained serialized PHP objects encoded in Base64, designed to trigger deserialization and code execution via known gadget chains. In particular, attackers attempted to invoke the system() and current() functions to run arbitrary commands on the server.
As Imperva notes, in several recorded cases the attackers used test commands aimed at confirming the ability to execute code. This is typical behavior for the reconnaissance phase: attackers first identify vulnerable systems and only then move on to full exploitation—deploying web shells, stealing payment card data, or installing malware.
According to Imperva, the activity is primarily directed at gaming and business websites, with the United States, United Kingdom, France, and Australia being the most targeted regions. It should be taken into account that this data comes from a single security vendor and may reflect the specifics of its customer base rather than the full picture of attacks. There is currently no threat attribution—who is behind the exploitation remains unknown.
Scale of potential impact
Sansec estimates that around 6,000 online stores use Mirasvit extensions, though the actual number may be significantly higher because content delivery networks (CDNs) such as Cloudflare obscure installations. It should be emphasized that this is an estimate from a single research source, and precise data on the extension’s prevalence is not available.
Magento remains one of the leading e-commerce platforms, and its extension ecosystem has traditionally been an attractive target for attackers. Compromising a Magento store through RCE opens the door to a wide range of attacks: from stealing payment card data (Magecart-style attacks) to using the server as a beachhead for further penetration into the infrastructure.
Recommendations for detection and protection
U.S. federal civilian executive branch agencies are required to remediate the vulnerability by June 6, 2026. However, given the critical nature of the issue and the confirmed active exploitation, immediate updating is recommended for all affected organizations without exception.
Remediation steps:
- Update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later.
- If an immediate update is not possible, temporarily disable the extension until the patch can be applied.
- Audit web server logs for requests containing a
CacheWarmercookie with a suspicious value.
Indicators of compromise and detection:
Sansec recommends inspecting requests to the store’s storefront for the presence of a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a Base64-encoded string. Serialized PHP objects in Base64 begin with characteristic sequences such as Tz, Qz, or YT. Thus, a cookie value that matches the pattern CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt. This pattern can be used in WAF and monitoring system rules for blocking and alerting.
The addition of CVE-2026-45247 to the CISA KEV catalog less than ten days after the patch was released underscores how quickly attackers weaponize critical vulnerabilities in e-commerce components. Magento store owners using the Mirasvit Cache Warmer extension should treat updating to version 1.11.12 as a top-priority task—every day of delay means the store remains open to unauthenticated arbitrary code execution.
