The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its high potential for remote code execution. The issue stems from the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary PHP code on affected servers. This is particularly concerning given the widespread use of Mirasvit Cache Warmer, with estimates suggesting around 6,000 stores running the extension, although the actual number may be higher due to content delivery networks (CDNs) like Cloudflare masking installs.
What makes this vulnerability especially insidious is the ease with which it can be exploited. Sansec, a Dutch security company, highlights that the PHP object injection vulnerability can be triggered through any storefront request carrying a crafted CacheWarmer cookie. This cookie is then deserialized using PHP's native unserialize() function, granting attackers control over the objects PHP reconstructs. This control, combined with gadget chains from classes that Magento and its dependencies ship, can escalate to remote code execution, a severe security breach.
Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution by invoking functions like system() and current() to execute arbitrary commands on the underlying server. The targets of these attacks have primarily been gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The identity of the attackers remains unknown, but the goal appears to be to flag vulnerable Magento environments and confirm the feasibility of remote code execution.
The urgency of the situation is underscored by the recent order from the Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 6, 2026. To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. Recognizing that serialized PHP objects base64-encode to values starting with 'Tz', 'Qz', or 'YT', a CacheWarmer cookie value matching 'CacheWarmer:(Tz|Qz|YT)' is a strong indicator of an exploitation attempt.
This incident highlights the ongoing challenges in cybersecurity and the need for vigilance and proactive measures. It also underscores the importance of timely patch management and the potential risks associated with the widespread use of third-party extensions. As the cybersecurity landscape continues to evolve, organizations must remain vigilant and adaptable to new threats and vulnerabilities.
