The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its high potential for exploitation. The issue stems from the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on an affected server. This is a serious concern, as it allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. The vulnerability impacts all versions of the extension prior to version 1.11.12, and patches were released on May 25, 2026. The addition of CVE-2026-45247 to the KEV catalog comes amidst reports of active exploitation in the wild. Sansec, a Dutch security company, identified approximately 6,000 stores running Mirasvit extensions, although the exact number is likely higher due to content delivery networks (CDNs) like Cloudflare masking installs. Thales-owned Imperva has also observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. The activity has primarily targeted gaming and business sites in the U.S., the U.K., France, and Australia, with the end goal of flagging vulnerable Magento environments and confirming remote code execution is possible. In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. Site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string, as this is a strong indicator of an exploitation attempt. This incident highlights the importance of staying vigilant and proactive in addressing vulnerabilities to prevent potential security breaches and data breaches.
