The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday added a critical flaw in the Mirasvit Cache Warmer Magento extension to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The issue, tracked as CVE-2026-45247, has a CVSS score of 9.8 and can let attackers run arbitrary PHP code on affected servers.
KEY FACTS
- Bug type A deserialization flaw in a Magento full-page cache extension.
- Affected versions All versions before 1.11.12.
- Patch date Fixes were released on May 25, 2026.
- Deadline Federal civilian agencies must apply the fix by June 6, 2026.
A technical analysis by Sansec said the flaw can be triggered by any storefront request carrying a crafted CacheWarmer cookie. The analysis said the extension deserializes part of the cookie value with PHP’s unserialize() function without authentication or admin access.
That behavior can allow object injection, and the report said a gadget chain in Magento and its dependencies can turn the issue into remote code execution. Sansec estimated about 6,000 stores were running Mirasvit extensions, although the number may be higher because content delivery networks can hide installs.
Imperva said it has observed active attack activity using serialized PHP object payloads in malicious HTTP requests. The disclosure said some payloads were designed to invoke functions such as system() and current() to run commands on the server, and in several cases attackers used test commands to confirm code execution.
Researchers said the activity has mainly targeted gaming and business sites in the U.S., the U.K., France and Australia. The attackers have not been identified, and the apparent aim has been to find vulnerable Magento environments and verify that remote code execution is possible.
WHY IT MATTERS
The flaw affects a widely used ecommerce extension and has already been linked to active exploitation, which raises the risk of unauthorized access on exposed stores. Site owners are being advised to review traffic for suspicious CacheWarmer cookies and apply the available patch.