CISA adds Magento Cache Warmer RCE CVE-2026-45247 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, after reports of active exploitation. The flaw is a PHP object deserialization remote code execution vulnerability in the Mirasvit Cache Warmer extension for Magento, affecting versions prior to 1.11.12. It carries a CVSS score of 9.8.

The vulnerability occurs when the extension unserializes part of a CacheWarmer cookie value using PHP’s native unserialize() function. An unauthenticated attacker can supply a crafted serialized object in that cookie to reconstruct objects on the server and trigger code execution. Patches addressing the issue were released on May 25, 2026. Federal Civilian Executive Branch agencies were directed to apply fixes by June 6, 2026.

Dutch security firm Sansec reported that any storefront request carrying a crafted CacheWarmer cookie can trigger the flaw and estimated about 6,000 online stores run Mirasvit extensions, though content delivery networks can mask installations. Sansec wrote, “Because that value comes straight from the client, an attacker controls the objects PHP reconstructs.” The company described the flaw as PHP object injection (CWE-502) and noted that gadget chains present in Magento and its dependencies can be used to escalate object reconstruction to remote code execution without authentication.

Thales-owned Imperva reported observing active attack traffic that delivered base64-encoded serialized objects in HTTP requests. Observed payloads attempted to invoke functions such as system() and current() to execute commands on affected servers. Attack activity has mainly targeted gaming and business storefronts, with the United States, the United Kingdom, France and Australia among the most affected countries. The identities of the attackers are unknown; observed activity appears focused on locating vulnerable Magento environments and confirming remote code execution capability.

Site operators are advised to upgrade Mirasvit Cache Warmer to version 1.11.12 or later immediately. Operators who cannot apply the patch should consider removing or disabling the extension and review web server logs and web application firewall alerts for suspicious storefront requests that carry CacheWarmer cookies. Sansec recommends auditing for CacheWarmer cookie values that start with the marker “CacheWarmer:” followed by a Base64-encoded string; serialized PHP objects encoded in Base64 commonly start with the characters Tz, Qz or YT, so a CacheWarmer value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of exploitation attempts.