CVE-2026-45247 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-26

Added to CISA KEV: 2026-06-03 8 DAYS BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 425 internet-facing instances →
Query: http.component:"Magento" View on Shodan ↗
This counts all Magento 2 instances but cannot distinguish which have the vulnerable Mirasvit Cache Warmer extension installed, so results will overestimate actual exposure
Checked: 2026-06-04

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update Mirasvit Full Page Cache Warmer to version 1.11.12 or later
Review web server access logs for suspicious cookie values or serialized PHP objects in CacheWarmer cookies
Implement Web Application Firewall rules to detect and block malicious serialized objects in cookies
Monitor for unexpected PHP processes or file modifications on Magento servers
Verify no unauthorized admin accounts or backdoors have been created
PATCH PRIORITY: CRITICAL - Immediate patching required due to RCE and active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-45247 is a critical security vulnerability affecting the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce?id=CVE-2026-45247?kagi_q=CVE-2026-45247 ^[4]. It carries a CVSS score of 9.8, reflecting its high severity ^[6].

Active Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability is currently being exploited in the wild ^[5].
CISA KEV: On June 3, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating action for federal agencies ^[3] ^[5].

Attack Method and Requirements

Vulnerability Type: PHP object injection (deserialization of untrusted data) ^[1] ^[3].
Requirements: The attack is unauthenticated, meaning no user interaction or prior access is required ^[1].
Exploitation: An attacker can achieve remote code execution (RCE) by supplying a crafted, serialized PHP object within the `CacheWarmer` cookie ^[1].
Detection Indicator: Security researchers have noted that serialized PHP objects base64-encode to values starting with `Tz`, `Qz`, or `YT`. Consequently, any cookie matching `CacheWarmer:(Tz|Qz|YT)` is considered a strong indicator of an active exploitation attempt ^[2].

Impact

Successful Exploitation: Successful exploitation grants an attacker the ability to execute arbitrary code on the affected server, leading to a full compromise of the application and potentially the underlying server environment ^[1].

Affected Versions and Mitigation

Affected Versions: Mirasvit Full Page Cache Warmer for Magento 2 versions before 1.11.12 are affected?id=CVE-2026-45247?kagi_q=CVE-2026-45247.
Patch Status: Users are strongly advised to update to version 1.11.12 or later to remediate the vulnerability.
Ransomware/Targeted Attacks: While specific attribution to ransomware groups has not been widely publicized as of June 4, 2026, the inclusion in the CISA KEV catalog and the nature of the vulnerability (RCE) make it a high-priority target for various threat actors, including those involved in automated mass exploitation and targeted attacks on e-commerce platforms.

Sources

Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection - CVE ...
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can explo...
Critical Magento Cache Plugin Flaw Enables Remote Code Execution
CVE-2026-45247 was formally assigned and publicly disclosed on May 26, 2026, with Imperva and additional vendors confirming protections by May 28, 2026. Since serialized PHP objects base64-encode to values beginning with Tz, Qz, or YT, any cookie matching CacheWarmer:(Tz|Qz|YT) is a strong indicator…
CISA Cyber
CISA Cyber (@CISACyber). 10 likes. 🛡️ We added Mirasvit Full Page Cache Warmer deserialization of untrusted data vulnerability CVE-2026-45247 ...
Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full ...
About CVE-2026-45247 On May 26, 2026, researchers at Sansec disclosed a critical vulnerability in Mirasvit Full Page Cache Warmer, a Magento and Adobe Commerce extension used to pre-populate and manage storefront cache content. The vulnerability was assigned CVE-2026-45247 and carries a CVSS score o…
CISA warns of exploits in Magento cache extension CVE-2026-45247
On 3 June 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑45247 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns Mirasvit Full Page Cache Warmer, a Magento extension used on Adobe Commerce platforms, and covers the…
CVE-2026-45247: Mirasvit Full Page Cache Remote codExecution
CVE-2026-45247 is a critical severity vulnerability (CVSS 9.8) identified in the National Vulnerability Database. Mirasvit Full Page Cache ...

🔴 CVE-2026-45247