THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-003
CYBER · cves zero days · 2026-06-03SCOOP 74

Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA adds to KEV June 3

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extensi.

·FILED ISSUE 2026-06-03·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CVE-2026-45247 added to CISA KEV June 3, 2026; CVSS 9.8; PHP object injection / deserialization of untrusted data
  • Affects Mirasvit Full Page Cache Warmer for Magento 2 (Adobe Commerce), all versions prior to 1.11.12
  • Unauthenticated RCE via crafted serialized PHP object in 'CacheWarmer' cookie, deserialized without class restrictions
  • Patches shipped around May 25, 2026; public disclosure on/around May 26
  • Imperva observed active exploitation with base64-encoded serialized payloads; most-targeted countries US, UK, France, Australia; primarily gaming and business websites

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA a
Image via primary source

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 (Adobe Commerce). Unauthenticated attackers can achieve remote code execution by supplying a crafted serialized PHP object inside the 'CacheWarmer' cookie, which is deserialized without class restrictions, enabling gadget-chain exploitation to arbitrary PHP execution on the server. The vulnerability affects all extension versions prior to 1.11.12; Mirasvit shipped patches around May 25, 2026, and the flaw was publicly disclosed on/around May 26.

Imperva reported it began observing active exploitation shortly after disclosure, with payloads carrying base64-encoded serialized objects; the most-targeted countries were the U.S., U.K., France and Australia, hitting primarily gaming and business websites. CISA set a federal remediation deadline of June 6, 2026 under BOD 22-01's three-day clock. The story matters because Magento/Adobe Commerce storefronts are perennial Magecart and card-skimming targets, and an unauthenticated, cookie-delivered RCE gives attackers a direct path to inject payment-card skimmers, web shells, or backdoors.

Defenders can hunt for storefront requests bearing a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by Base64 beginning with Tz, Qz or YT, a strong indicator of an exploitation attempt. Thousands of stores remained unpatched at disclosure.

Key facts on file

  • CVE-2026-45247 added to CISA KEV June 3, 2026; CVSS 9.8; PHP object injection / deserialization of untrusted data
  • Affects Mirasvit Full Page Cache Warmer for Magento 2 (Adobe Commerce), all versions prior to 1.11.12
  • Unauthenticated RCE via crafted serialized PHP object in 'CacheWarmer' cookie, deserialized without class restrictions
  • Patches shipped around May 25, 2026; public disclosure on/around May 26
  • Imperva observed active exploitation with base64-encoded serialized payloads; most-targeted countries US, UK, France, Australia; primarily gaming and business websites
  • Federal remediation deadline June 6, 2026 (BOD 22-01 three-day clock)
  • IOC: CacheWarmer cookie containing 'CacheWarmer:' + Base64 beginning Tz, Qz or YT; thousands of stores unpatched at disclosure

OFFICIAL RECORD

The Hacker News — Ravie Lakshmanan (2026-06-03)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-003 · filed 2026-06-03 · https://thedwire.com/wire/cyb-2026-06-003-critical-magento-rce-cve-2026-45247-in-mirasvit-cache.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fre
CYBER · SCOOP 70

CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-wild exploitation

CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8. The bug is an improper-authentication/missing-authorization defect (CWE-287, CWE-862) in the cgroup_release_agent_write() function of the cgroups

✓ verifiedSOURCE ↗
READ THE FILE ›
Microsoft reverses 'never justifiable' zero-day stance, vows not to pu
CYBER · SCOOP 85

Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as Nightmare-Eclipse feud spreads

Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash. Days earlier (a blog post ~May 28) Microsoft had branded uncoordinated public zero-day disclosures 'never justifiable,' implied legal exposure for those enabling cybercrime, and noted its Digital Crimes Unit would keep bringing cases

exclusivecorrected · see fileSOURCE ↗
READ THE FILE ›
Google patches 124 Android flaws including actively exploited CVE-2025-48595; CI
CYBER · SCOOP 78

Google patches 124 Android flaws including actively exploited CVE-2025-48595; CISA orders federal fix by June 5

Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the wild. The flaw enables code execution and local privilege escalation with no user interaction, the hallmark signature of

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.