Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA adds to KEV June 3
CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extensi.
At a glance
- CVE-2026-45247 added to CISA KEV June 3, 2026; CVSS 9.8; PHP object injection / deserialization of untrusted data
- Affects Mirasvit Full Page Cache Warmer for Magento 2 (Adobe Commerce), all versions prior to 1.11.12
- Unauthenticated RCE via crafted serialized PHP object in 'CacheWarmer' cookie, deserialized without class restrictions
- Patches shipped around May 25, 2026; public disclosure on/around May 26
- Imperva observed active exploitation with base64-encoded serialized payloads; most-targeted countries US, UK, France, Australia; primarily gaming and business websites
VERDICT — CONFIRMED
CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 (Adobe Commerce). Unauthenticated attackers can achieve remote code execution by supplying a crafted serialized PHP object inside the 'CacheWarmer' cookie, which is deserialized without class restrictions, enabling gadget-chain exploitation to arbitrary PHP execution on the server. The vulnerability affects all extension versions prior to 1.11.12; Mirasvit shipped patches around May 25, 2026, and the flaw was publicly disclosed on/around May 26.
Imperva reported it began observing active exploitation shortly after disclosure, with payloads carrying base64-encoded serialized objects; the most-targeted countries were the U.S., U.K., France and Australia, hitting primarily gaming and business websites. CISA set a federal remediation deadline of June 6, 2026 under BOD 22-01's three-day clock. The story matters because Magento/Adobe Commerce storefronts are perennial Magecart and card-skimming targets, and an unauthenticated, cookie-delivered RCE gives attackers a direct path to inject payment-card skimmers, web shells, or backdoors.
Defenders can hunt for storefront requests bearing a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by Base64 beginning with Tz, Qz or YT, a strong indicator of an exploitation attempt. Thousands of stores remained unpatched at disclosure.
Key facts on file
- CVE-2026-45247 added to CISA KEV June 3, 2026; CVSS 9.8; PHP object injection / deserialization of untrusted data
- Affects Mirasvit Full Page Cache Warmer for Magento 2 (Adobe Commerce), all versions prior to 1.11.12
- Unauthenticated RCE via crafted serialized PHP object in 'CacheWarmer' cookie, deserialized without class restrictions
- Patches shipped around May 25, 2026; public disclosure on/around May 26
- Imperva observed active exploitation with base64-encoded serialized payloads; most-targeted countries US, UK, France, Australia; primarily gaming and business websites
- Federal remediation deadline June 6, 2026 (BOD 22-01 three-day clock)
- IOC: CacheWarmer cookie containing 'CacheWarmer:' + Base64 beginning Tz, Qz or YT; thousands of stores unpatched at disclosure


