The recent addition of CVE-2026-45247, a critical vulnerability in Mirasvit Cache Warmer, to the CISA's Known Exploited Vulnerabilities (KEV) catalog has raised significant concerns in the cybersecurity community. This flaw, with a CVSS score of 9.8, poses a severe risk to Magento-based websites, particularly those using the Mirasvit Full Page Cache Warmer extension. The vulnerability lies in the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary PHP code on affected servers.
What makes this issue particularly alarming is the ease with which it can be exploited. By crafting a serialized PHP object within the CacheWarmer cookie, attackers can bypass authentication and execute code remotely. This is a classic case of PHP object injection, where the attacker controls the objects PHP reconstructs, leading to remote code execution. The fact that this vulnerability affects all versions prior to 1.11.12 further exacerbates the problem, as many websites may still be vulnerable.
The impact of this flaw is not limited to Magento stores alone. Sansec, a Dutch security company, identified around 6,000 stores running Mirasvit extensions, but the actual number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installations. This widespread use of the extension makes it a prime target for attackers, who are primarily focusing on gaming and business sites in the U.S., U.K., France, and Australia.
What's more, the exploitation efforts seem to be aimed at confirming remote code execution in vulnerable Magento environments. This raises a deeper question about the motivations behind such attacks. Are they simply testing the waters, or is there a more sinister agenda at play? The fact that the Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply fixes by June 6, 2026, suggests that the threat is taken seriously.
To detect potential exploitation attempts, site owners are advised to audit for storefront requests carrying a CacheWarmer cookie with a value containing the marker 'CacheWarmer:' followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects typically start with 'Tz', 'Qz', or 'YT'.
In my opinion, this incident highlights the ongoing battle between attackers and defenders in the cybersecurity realm. While patches have been released, the speed at which vulnerabilities are discovered and exploited underscores the need for proactive measures. Organizations must stay vigilant, keep their systems updated, and invest in robust security practices to mitigate such risks. The addition of CVE-2026-45247 to the KEV catalog serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of staying one step ahead.
