The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its high severity. It stems from the deserialization of untrusted data, a flaw that could enable unauthenticated attackers to execute arbitrary PHP code on affected servers.
What makes this particular vulnerability concerning is the ease with which it can be exploited. According to CISA, the vulnerability exists in all versions of the Mirasvit Full Page Cache Warmer prior to version 1.11.12. Patches were released on May 25, 2026, but the damage may already be done. Sansec, a Dutch security company, has reported that the PHP object injection vulnerability can be exploited through any storefront request carrying a crafted CacheWarmer cookie, which then deserializes part of the cookie value with PHP's native unserialize() function without requiring any authentication or admin privileges.
The implications of this vulnerability are far-reaching. Sansec estimates that around 6,000 stores are running Mirasvit extensions, although the actual number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installs. Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains, with attackers using test commands to validate successful code execution.
The targeted industries are primarily gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The identity of the attackers remains unknown, but their goal appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. This is a serious concern, as it could lead to significant data breaches and other security incidents.
In response to the active exploitation of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. Site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. Recognizing that serialized PHP objects base64-encode to values starting with 'Tz', 'Qz', or 'YT', a CacheWarmer cookie value matching 'CacheWarmer:(Tz|Qz|YT)' is a strong indicator of an exploitation attempt.
This incident highlights the ongoing challenge of keeping software secure in an increasingly interconnected world. It serves as a reminder that even popular and widely used extensions can have critical vulnerabilities that, if exploited, can have severe consequences. As such, it is crucial for organizations to stay vigilant, keep their software up to date, and implement robust security measures to protect their systems and data.
