Ethical Hacking News
CISA Adds Exploited Magento RCE Flaw to KEV Catalog: A Critical Vulnerability Impacts E-commerce Sites Globally
A critical flaw in a popular e-commerce extension has been added to CISA's list, with reports indicating active exploitation in the wild. Learn how this vulnerability can be identified and patched to protect your site from potential attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2026-45247, is a case of deserialization of untrusted data that could be exploited to execute arbitrary PHP code on an affected server. All versions of Mirasvit Full Page Cache Warmer prior to version 1.11.12 are impacted and patches were released on May 25, 2026. The vulnerability primarily targets gaming and business sites, with the U.S., U.K., France, and Australia emerging as the most targeted countries. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. The presence of certain Base64-encoded strings in a CacheWarmer cookie can serve as an early warning sign for potential attacks.
Threat Intelligence Newsletter Issue 23 - June 4, 2026
In a recent update, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog. This move comes after reports of active exploitation in the wild, highlighting the importance of ensuring all e-commerce sites are up-to-date with the latest security patches.
The vulnerability, tracked as CVE-2026-45247 and scored 9.8 on the Common Vulnerability Scoring System (CVSS), is a case of deserialization of untrusted data that could be exploited to execute arbitrary PHP code on an affected server. According to CISA, Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
The shortcoming impacts all versions of the extension prior to version 1.11.12. Patches for the were released on May 25, 2026, and it is essential for affected sites to apply these patches as soon as possible.
This vulnerability has primarily targeted gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The end goal appears to be to flag vulnerable Magento environments and confirm remote code execution is possible.
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026, in light of active exploitation efforts. Site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker "CacheWarmer:" followed by a Base64-encoded string.
"Serialized PHP objects base64-encode to values starting with Tz, Qz or YT," Sansec added. "A CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt." This means that the presence of these encoded strings in a CacheWarmer cookie can serve as an early warning sign for potential attacks.
Thales-owned Imperva has disclosed it has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. The payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains.
"These payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server," Imperva said. "In several observed cases, attackers used test commands designed to validate successful code execution."
Threat actors have been actively exploiting this vulnerability to achieve remote code execution, with malicious activity primarily targeting e-commerce sites worldwide. The U.S., the U.K., France, and Australia are currently among the most targeted countries.
The addition of CVE-2026-45247 to the KEV catalog underlines the importance of timely patching for all software vulnerabilities. It is crucial that e-commerce sites prioritize applying security patches from reputable sources as soon as they become available to protect against such exploits.
In light of this critical vulnerability, it has never been more essential for organizations and site owners to ensure their Magento full-page cache extensions are up-to-date with the latest security patches to safeguard against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Exploited-Magento-RCE-Flaw-to-KEV-Catalog-A-Critical-Vulnerability-Impacts-E-commerce-Sites-Globally-ehn.shtml
https://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.html
Published: Thu Jun 4 04:04:24 2026 by llama3.2 3B Q4_K_M
