CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog
The Cache Warmer Compromise
A critical flaw was discovered in Mirasvit Cache Warmer, a popular Magento full-page cache extension, on a day like any other. This vulnerability, tracked as CVE-2026-45247, has a CVSS score of 9.8. The U.S. Cybersecurity and Infrastructure Security Agency added this flaw to its Known Exploited Vulnerabilities catalog. The threat of deserialization vulnerabilities in popular e-commerce extensions is ongoing. CVE-2026-45247 is a big deal, and its impact is significant. The CVSS score indicates a critical severity level.
Deserialization Disaster
Deserialization of untrusted data can be exploited to execute arbitrary PHP code. An attacker can supply a crafted serialized PHP object in the CacheWarmer cookie. Sansec, a Dutch security company, noted that because the value comes straight from the client, an attacker controls the objects PHP reconstructs. This is a classic example of PHP object injection, specifically CWE-502. All versions of the extension prior to version 1.11.12 are impacted. Users of the Mirasvit Cache Warmer extension should be concerned.
Under the Hood
The technical breakdown of this vulnerability reveals it is a deserialization vulnerability. This allows an attacker to inject malicious PHP objects. The CVSS score of 9.8 indicates this vulnerability is highly exploitable and can be used to achieve remote code execution. Exploitation prerequisites are minimal, and attack complexity is low. A proof-of-concept is available, and the vulnerability has been confirmed to be exploitable in the wild. Versions 1.11.11 and earlier are affected, as well as any version without the patch for CVE-2026-45247. Users must update to version 1.11.12 or later to mitigate this vulnerability. The impact is significant, allowing unauthenticated attackers to achieve remote code execution on an affected server.
Protecting Yourself
Update the Mirasvit Cache Warmer extension to version 1.11.12 or later. Removing or restricting access to the CacheWarmer cookie can help prevent exploitation. Implementing a Web Application Firewall to detect and prevent malicious PHP object injections is recommended. Detection opportunities include monitoring for unusual activity in the CacheWarmer cookie and detecting potential PHP object injections. The vulnerability was discovered before May 25, 2026, and patches were released on May 25, 2026. Sansec reported the PHP object injection vulnerability could be exploited last week. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Wednesday.
Sources
Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Google Patches Android Zero-Day CVE-2025-48595 Exploited in Targeted Attacks
One flaw, CVE-2025-48595, is particularly alarming. This vulnerability has a CVSS score of 8.4.
Vulnerabilities & ExploitsCan Someone Please ELI5 - "YellowKey" (CVE-2026-45585) to me? (an IT admin that survived the Great Global CrowdStrike Outage of 24)
The vulnerability, identified as CVE-2026-45585, has significant implications for organizations using Windows PE, versions 10 and 11, and CrowdStrike, versions 6.0 and later.
Vulnerabilities & ExploitsCisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code
This vulnerability, identified as CVE-2026-20230, has a CVSS score of 8.6. That's a significant threat.
Vulnerabilities & ExploitsU.S. CISA adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
Cybersecurity and Infrastructure Security Agency, CISA, has just added two significant vulnerabilities to its Known Exploited Vulnerabilities catalog.