"Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie," CISA said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical Magento extension flaw, tracked as CVE-2026-45247 (CVSS 9.8), to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The weakness affects Mirasvit Cache Warmer, a full-page cache extension for Magento, and allows unauthenticated remote code execution through PHP object deserialization.
CVE-2026-45247: deserialization, affected versions and patch timing
The vulnerability is a case of deserialization of untrusted data that can be abused to execute arbitrary PHP code on an affected server. CISA's advisory states that an attacker can supply a crafted serialized PHP object in the CacheWarmer cookie; the extension then deserializes part of that cookie value with PHP's native unserialize() function without requiring authentication or admin privileges.
The shortcoming impacts all versions of Mirasvit Cache Warmer prior to version 1.11.12. Patches for the flaw were released on May 25, 2026.
Sansec analysis: PHP object injection, gadget chains, and scale
Dutch security firm Sansec characterized the issue as PHP object injection (CWE-502). Sansec reported that any storefront request carrying a crafted CacheWarmer cookie can trigger the flaw because "that value comes straight from the client, an attacker controls the objects PHP reconstructs."
Sansec explained that object injection combined with "a gadget chain from classes that Magento and its dependencies already ship" can escalate to remote code execution. The company identified about 6,000 stores running Mirasvit extensions, while noting the actual number is likely higher because content delivery networks such as Cloudflare can mask installs.
Imperva observations: payloads, targeted sectors and countries
Thales-owned Imperva reported it has observed active attack activity attempting to exploit CVE-2026-45247 by delivering serialized PHP object payloads in malicious HTTP requests. According to Imperva, "Observed payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains."
Imperva said the payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server, and that in several observed cases attackers used test commands designed to validate successful code execution. The activity has primarily singled out gaming and business sites, with the United States, the United Kingdom, France, and Australia emerging as the most targeted countries. It is currently not known who is behind the exploitation efforts; the apparent end goal has been to flag vulnerable Magento environments and confirm remote code execution is possible.
FCEB remediation order and detection guidance
Because of active exploitation, Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes by June 6, 2026. Site owners and defenders were given concrete detection guidance to spot likely exploitation attempts: audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker "CacheWarmer:" followed by a Base64-encoded string.
Sansec added a specific pattern to watch for: "Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt."
What this means for Magento site owners and security teams
- Apply the patch: Sites running Mirasvit Cache Warmer at versions prior to 1.11.12 should install the May 25, 2026 fixes immediately to eliminate the deserialization vector.
- Audit logs and cookies: Review storefront requests for CacheWarmer cookies with Base64 payloads and the Tz/Qz/YT prefixes identified by Sansec to detect likely exploitation attempts.
- Investigate suspicious commands: If evidence of system() or other command-invoking calls is found, treat that as an indicator of confirmed or attempted remote code execution and follow incident response procedures.
The KEV listing, reported exploit telemetry from Sansec and Imperva, and the FCEB remediation order together signal a narrow but urgent window for defenders: patches are available, exploitation is observable, and the attacker activity so far appears aimed at discovering and validating remote code execution rather than executing a single, uniform mission. Who is exploiting these storefronts and whether attacks will escalate beyond reconnaissance-style validation remains an open question.
Original reporting: https://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.html
