The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, has a CVSS score of 9.8, indicating its high potential for exploitation. The issue lies in the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on affected servers. This is a serious concern, especially given the widespread use of Mirasvit Cache Warmer in Magento-based e-commerce platforms. The vulnerability affects all versions of the extension prior to version 1.11.12, and patches were released on May 25, 2026. The addition to the KEV catalog highlights the urgency of the situation, as it has already been reported in the wild. Sansec, a Dutch security company, identified approximately 6,000 stores running Mirasvit extensions, although the actual number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installs. Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. The primary targets of these attacks have been gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The end goal of these exploitation efforts appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. Site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects base64-encode to values starting with 'Tz', 'Qz', or 'YT'. The addition of CVE-2026-45247 to the KEV catalog serves as a stark reminder of the importance of staying vigilant in the face of evolving cybersecurity threats. It underscores the need for organizations to promptly apply patches and conduct thorough security audits to mitigate the risk of exploitation. As the threat landscape continues to evolve, it is crucial for security professionals and organizations to remain proactive in their approach to cybersecurity, ensuring that they are prepared to defend against emerging threats and protect their systems and data.
