The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its high severity. It stems from the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on affected servers, posing a serious threat to web security.
The issue lies in the Mirasvit Full Page Cache Warmer extension, which, prior to version 1.11.12, contains a critical flaw. Patches were released on May 25, 2026, but the damage was already done. This vulnerability can be exploited through any storefront request carrying a crafted CacheWarmer cookie, deserializing part of the cookie value with PHP's native unserialize() function without requiring authentication or admin privileges. This is a classic case of PHP object injection (CWE-502), where an attacker controls the objects PHP reconstructs, leading to remote code execution.
Sansec, a Dutch security company, identified approximately 6,000 stores running Mirasvit extensions, although the actual number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installs. Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains.
The targeted industries include gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most affected countries. The primary goal of the exploitation efforts appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. In response to this threat, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026.
To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker "CacheWarmer:" followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects base64-encode to values starting with Tz, Qz, or YT. The addition of CVE-2026-45247 to the KEV catalog highlights the importance of staying vigilant and proactive in addressing web security vulnerabilities.
