The recent addition of a critical vulnerability to the CISA's Known Exploited Vulnerabilities (KEV) catalog has sparked concern in the cybersecurity community. This vulnerability, CVE-2026-45247, affects Mirasvit Cache Warmer, a popular Magento full-page cache extension, and has been actively exploited in the wild. The issue lies in the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on affected servers. This vulnerability is particularly concerning due to its high CVSS score of 9.8, indicating a severe risk to affected systems.
What makes this situation even more alarming is the ease with which attackers can exploit it. By supplying a crafted serialized PHP object in the CacheWarmer cookie, unauthenticated attackers can achieve remote code execution without requiring any authentication or admin privileges. This is a classic case of PHP object injection (CWE-502), where the attacker controls the objects PHP reconstructs, leading to potential remote code execution. The vulnerability impacts all versions of the extension prior to version 1.11.12, and patches were released on May 25, 2026.
The threat landscape becomes even more complex when considering the involvement of content delivery networks (CDNs) like Cloudflare, which can mask installs and make it challenging to determine the exact number of affected stores. Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains, with functions like system() and current() being invoked to execute arbitrary commands on the underlying server.
The targets of these attacks have primarily been gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The end goal of these exploitation efforts appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. In light of this active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026.
To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects base64-encode to values starting with Tz, Qz, or YT. By taking these proactive measures, site owners can better protect their systems from potential attacks and ensure the security of their data.
In conclusion, the addition of CVE-2026-45247 to the CISA's KEV catalog highlights the ongoing threat of vulnerabilities in popular software extensions. It serves as a reminder that even well-known and trusted tools can have critical security flaws. As cybersecurity professionals, it is crucial to stay vigilant, keep software up to date, and implement robust security measures to protect against potential exploits. The threat landscape is ever-evolving, and staying informed and proactive is essential to safeguarding sensitive information and critical infrastructure.
