CISA Adds Magento RCE CVE-2026-45247 to KEV
The Cache Warmer Compromise
A critical flaw was discovered in Mirasvit Cache Warmer, a popular Magento full-page cache extension, on a day like any other. This vulnerability, tracked as CVE-2026-45247, has a CVSS score of 9.8. The U.S. Cybersecurity and Infrastructure Security Agency added this flaw to its Known Exploited Vulnerabilities catalog. The threat of deserialization vulnerabilities in popular e-commerce extensions is ongoing. CVE-2026-45247 is a big deal, and its impact is significant. The CVSS score indicates a critical severity level.
Deserialization Disaster
Deserialization of untrusted data can be exploited to execute arbitrary PHP code. An attacker can supply a crafted serialized PHP object in the CacheWarmer cookie. Sansec, a Dutch security company, noted that because the value comes straight from the client, an attacker controls the objects PHP reconstructs. This is a classic example of PHP object injection, specifically CWE-502. All versions of the extension prior to version 1.11.12 are impacted. Users of the Mirasvit Cache Warmer extension should be concerned.
Under the Hood
The technical breakdown of this vulnerability reveals it is a deserialization vulnerability. This allows an attacker to inject malicious PHP objects. The CVSS score of 9.8 indicates this vulnerability is highly exploitable and can be used to achieve remote code execution. Exploitation prerequisites are minimal, and attack complexity is low. A proof-of-concept is available, and the vulnerability has been confirmed to be exploitable in the wild. Versions 1.11.11 and earlier are affected, as well as any version without the patch for CVE-2026-45247. Users must update to version 1.11.12 or later to mitigate this vulnerability. The impact is significant, allowing unauthenticated attackers to achieve remote code execution on an affected server.
Protecting Yourself
Update the Mirasvit Cache Warmer extension to version 1.11.12 or later. Removing or restricting access to the CacheWarmer cookie can help prevent exploitation. Implementing a Web Application Firewall to detect and prevent malicious PHP object injections is recommended. Detection opportunities include monitoring for unusual activity in the CacheWarmer cookie and detecting potential PHP object injections. The vulnerability was discovered before May 25, 2026, and patches were released on May 25, 2026. Sansec reported the PHP object injection vulnerability could be exploited last week. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Wednesday.
Sources
Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
CISA Flags SolarWinds Serv-U Flaw as Exploited
Over 12,000 SolarWinds Serv-U file transfer servers sit exposed to the internet. Attackers are already knocking them offline.
Vulnerabilities & ExploitsGoogle Patches Android Zero-Day CVE-2025-48595
One flaw, CVE-2025-48595, is particularly alarming. This vulnerability has a CVSS score of 8.4.
Vulnerabilities & ExploitsCISA Adds Android & Linux Kernel Flaws to KEV catalog
Cybersecurity and Infrastructure Security Agency, CISA, has just added two significant vulnerabilities to its Known Exploited Vulnerabilities catalog.
Vulnerabilities & ExploitsELI5: YellowKey (CVE-2026-45585) BitLocker Bypass that survived the Great Global CrowdStrike Outage of 24)
The vulnerability, identified as CVE-2026-45585, has significant implications for organizations using Windows PE, versions 10 and 11, and CrowdStrike, versions 6.0 and later.