The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its high potential for remote code execution. The issue stems from the deserialization of untrusted data, allowing unauthenticated attackers to inject malicious PHP objects through the CacheWarmer cookie. This vulnerability affects all versions of the extension prior to version 1.11.12, with patches released on May 25, 2026. The severity of this flaw is underscored by the active exploitation observed by Sansec, which identified approximately 6,000 stores running Mirasvit extensions. Thales-owned Imperva has also reported active attack activity, with attackers using base64-encoded serialized objects to trigger PHP object deserialization and execute arbitrary commands on the underlying server. The targeted countries include the U.S., the U.K., France, and Australia, with gaming and business sites being the primary focus. The end goal of these attacks appears to be identifying vulnerable Magento environments and confirming remote code execution. In response to this threat, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the necessary fixes by June 6, 2026. Site owners are advised to audit for storefront requests containing a CacheWarmer cookie with a value starting with 'CacheWarmer:', followed by a Base64-encoded string, as this is a strong indicator of an exploitation attempt. This incident highlights the ongoing challenges in cybersecurity, emphasizing the need for proactive measures to protect against emerging threats.
