The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, has a CVSS score of 9.8, indicating its high severity. It stems from the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on affected servers.
What makes this particular issue concerning is the ease with which it can be exploited. According to CISA, an unauthenticated attacker can achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. This vulnerability impacts all versions of the Mirasvit Full Page Cache Warmer prior to version 1.11.12, and patches were released on May 25, 2026. The potential for widespread impact is further emphasized by the fact that Sansec identified approximately 6,000 stores running Mirasvit extensions, although the actual number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installs.
Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. The primary targets of these attacks have been gaming and business sites in the U.S., the U.K., France, and Australia, with the end goal of flagging vulnerable Magento environments and confirming remote code execution is possible.
The urgency of the situation is underscored by the recent directive from the Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 6, 2026. To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects base64-encode to values starting with 'Tz', 'Qz', or 'YT'.
This incident highlights the ongoing challenge of staying ahead of emerging cybersecurity threats. It also underscores the importance of proactive measures such as regular software updates, security audits, and employee training to mitigate the risk of successful attacks. As the cybersecurity landscape continues to evolve, organizations must remain vigilant and adaptable to effectively defend against sophisticated threats.
