CISA has added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog after reports of exploitation against Mirasvit Full Page Cache Warmer, a Magento and Adobe Commerce extension. The practical issue is direct: a crafted CacheWarmer cookie can reach PHP deserialization logic on a storefront request and, on vulnerable systems, lead to remote code execution.
Sansec reported the flaw on May 26, 2026, and says Mirasvit released version 1.11.12 on May 25. CISA added the CVE on June 3 with a June 6 remediation deadline for U.S. federal agencies. Store owners should treat this as an urgent exposure check, not a routine performance-extension update.
Who Is Affected
The vulnerable component is Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. Sansec notes that the extension may be bundled with other Mirasvit packages, so administrators should check installed Composer packages and module status even if they do not remember installing Cache Warmer directly.
| What to check | Risk and action |
|---|---|
mirasvit/module-cache-warmer version |
Versions before 1.11.12 need an immediate update or removal if the extension is not required. |
| Public storefront access | The attack path is unauthenticated, so any reachable storefront running the vulnerable module is exposed. |
Recent web requests with unusual CacheWarmer cookies |
Review access logs and WAF logs for oversized or serialized-looking cookie values and correlate with PHP errors, new files, or admin activity. |
| Post-patch integrity | After updating, inspect modified PHP files, unknown admin users, scheduled tasks, payment-page scripts, and outbound connections. |
Why This Cookie Matters
Cache warmers normally simulate visitor states so a store can prebuild pages for different currencies, customer groups, or session conditions. The dangerous part in this case is that the extension processed attacker-controlled cookie data with PHP’s native unserialize(). That is a classic object-injection pattern: PHP rebuilds objects from input, and Magento’s dependency graph can provide gadget chains that turn deserialization into code execution.
This is different from a simple admin-panel bug. A visitor does not need a login, checkout account, or staff access. If the vulnerable code path is present and reachable, the request itself can become the exploit carrier.
What Store Owners Should Do
- Update Mirasvit Full Page Cache Warmer to 1.11.12 or later. If the extension came through a bundle, update the bundle and confirm the module package version after deployment.
- Temporarily disable or remove the module if patching cannot be completed immediately. A performance feature is not worth leaving an unauthenticated RCE path exposed.
- Search web and WAF logs for suspicious
CacheWarmercookies, especially long encoded values, serialized PHP object markers, repeated 500 responses, or requests followed by new executable files. - Check Magento and Adobe Commerce file integrity, unknown admin accounts, cron jobs, checkout JavaScript, payment-page changes, and recently changed PHP files.
- Rotate secrets if compromise is plausible: admin passwords, API tokens, deployment keys, database credentials, payment integration keys, and any credentials stored on the web server.
Gridinsoft previously covered exploited Adobe Commerce issues such as CosmicSting, and the operational lesson is similar: patching is only the first step after a publicly exploited ecommerce bug. The second step is to look for the signs that the store was touched before the update landed.
FAQ
Is CVE-2026-45247 already exploited?
Yes. CISA placed CVE-2026-45247 in the Known Exploited Vulnerabilities catalog on June 3, 2026, which means exploitation has been observed.
Is Magento itself vulnerable?
The public advisory names Mirasvit Full Page Cache Warmer for Magento 2, not Magento core. However, Magento and Adobe Commerce stores using the vulnerable extension are the affected systems.
Is updating enough?
Updating closes the known vulnerable path, but it does not prove the store was never exploited. Review logs and file integrity if the module was exposed before the patch.
References
- Sansec Forensics Team. “Critical vulnerability in Mirasvit Cache Warmer for Magento.” Sansec Threat Research, published May 26, 2026, accessed June 4, 2026. https://sansec.io/research/mirasvit-cache-warmer-object-injection
- Cybersecurity and Infrastructure Security Agency. “CISA Catalog of Known Exploited Vulnerabilities.” Catalog version 2026.06.03, released June 3, 2026, accessed June 4, 2026. https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- National Vulnerability Database. “CVE-2026-45247 Detail.” NIST NVD, accessed June 4, 2026. https://nvd.nist.gov/vuln/detail/CVE-2026-45247
- Mirasvit. “Full Page Cache Warmer for Magento 2 – What’s New.” Mirasvit changelog for
mirasvit/module-cache-warmer, accessed June 4, 2026. https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer
