The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the Mirasvit Cache Warmer Magento extension to its Known Exploited Vulnerabilities (KEV) catalog. The move comes after reports of attackers actively exploiting the flaw, tracked as CVE-2026-45247, in the wild, posing a significant risk to e-commerce websites built on the Magento platform.
The vulnerability, which carries a severe CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary PHP code on affected servers. CISA has mandated that Federal Civilian Executive Branch agencies apply patches by June 6, 2026, highlighting the immediate threat this Magento security issue presents.
Critical Magento Cache Warmer Vulnerability Actively Exploited
Mirasvit’s Full Page Cache Warmer extension contains a critical deserialization of untrusted data vulnerability. According to CISA, this flaw could enable unauthenticated attackers to achieve remote code execution by sending a specially crafted serialized PHP object within the CacheWarmer cookie. This opens the door for potentially devastating attacks on online stores.
The vulnerability impacts all versions of the Mirasvit Cache Warmer extension released before version 1.11.12. Developers released patches for the specific Magento security issue on May 25, 2026, urging all users to update immediately.
Technical Details of the Attack
Security researchers at Sansec first identified the vulnerability, noting that it could be triggered through any storefront request that includes a malicious CacheWarmer cookie. The extension’s reliance on PHP’s native `unserialize()` function to process parts of the cookie value without proper validation is the root cause. This process, known as PHP object injection (CWE-502), allows attackers to control the objects that PHP reconstructs.
“Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution,” Sansec explained in a recent report. A gadget chain refers to a sequence of existing code snippets within the application that can be chained together to achieve a malicious outcome. This means attackers don’t need to introduce new malicious code but can leverage existing components.
Widespread Impact and Targeted Attacks
Sansec estimated that approximately 6,000 online stores were running Mirasvit extensions, although the actual number is likely higher due to the obfuscation provided by content delivery networks (CDNs) like Cloudflare. Thales-owned Imperva has since confirmed observing active attack campaigns targeting CVE-2026-45247.
These observed payloads utilize base64-encoded serialized objects designed to exploit the PHP Object Deserialization flaw and achieve remote code execution. Attackers are attempting to invoke functions such as `system()` and `current()` to execute arbitrary commands on the server. In several instances, malicious actors used test commands to verify successful code execution, indicating a deliberate effort to confirm the exploit’s viability.
The attacks have primarily targeted gaming and business websites, with the United States, the United Kingdom, France, and Australia being the most frequently affected countries. The identity of the attackers remains unknown, but their apparent objective is to identify vulnerable Magento environments and confirm the possibility of remote code execution, likely as a prelude to more damaging attacks.
Mitigation and Detection Strategies
To combat this threat, CISA has mandated that Federal Civilian Executive Branch agencies implement the necessary patches by June 6, 2026. Beyond official mandates, website owners are advised to actively audit their storefront requests for suspicious activity. Specifically, they should look for CacheWarmer cookies whose values start with the marker “CacheWarmer:” followed by a Base64-encoded string.
“Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt,” Sansec advised. This detection method provides a clear indicator for administrators to identify potential compromises and investigate further.
The ongoing exploitation of this critical Magento security vulnerability underscores the importance of diligent patch management and continuous security monitoring for e-commerce platforms. Further details on the exploit and its ongoing analysis are expected as security researchers continue to track the threat actors and their evolving tactics.