The cybersecurity landscape is a complex and ever-evolving arena, and the recent addition of a critical vulnerability to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights the ongoing challenges faced by organizations and individuals alike. This particular vulnerability, CVE-2026-45247, impacts Mirasvit Cache Warmer, a popular Magento full-page cache extension, and has been identified as a significant threat due to its potential for remote code execution.
What makes this issue particularly concerning is the ease with which it can be exploited. The vulnerability stems from the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary PHP code on an affected server. This is a critical flaw, as it can be triggered by a simple crafted serialized PHP object in the CacheWarmer cookie, without requiring any authentication or admin privileges.
The impact of this vulnerability is far-reaching. It affects all versions of the Mirasvit Full Page Cache Warmer prior to version 1.11.12, and patches were released on May 25, 2026. However, the damage may already be done, as active exploitation has been observed in the wild. Security firm Sansec identified around 6,000 stores running Mirasvit extensions, but the actual number could be higher due to the masking of installs by content delivery networks (CDNs) like Cloudflare.
Thales-owned Imperva has reported active attack activity, with attackers using serialized PHP object payloads delivered via malicious HTTP requests to trigger PHP Object Deserialization and achieve remote code execution. The payloads attempt to invoke functions like system() and current() to execute arbitrary commands on the underlying server, with test commands used to validate successful code execution.
The targeted industries are primarily gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most affected countries. The identity of the attackers remains unknown, but the goal appears to be to identify vulnerable Magento environments and confirm the possibility of remote code execution.
In response to this threat, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. Site owners are advised to audit for storefront requests carrying a CacheWarmer cookie with a specific marker, indicating a potential exploitation attempt. The use of base64-encoded serialized objects starting with 'Tz', 'Qz', or 'YT' in the CacheWarmer cookie value is a strong indicator of an attack.
This incident underscores the importance of proactive cybersecurity measures and the need for organizations to stay vigilant. The addition of this vulnerability to the KEV catalog serves as a stark reminder of the ongoing battle against cyber threats and the necessity of timely patches and updates to safeguard sensitive data and systems.
