The cybersecurity landscape is a complex and ever-evolving arena, and the recent addition of a critical vulnerability to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights the ongoing challenges faced by organizations and individuals alike. This particular vulnerability, CVE-2026-45247, impacts Mirasvit Cache Warmer, a popular Magento full-page cache extension, and has been identified as a significant threat due to its potential for remote code execution. The issue lies in the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary PHP code on affected servers.
What makes this vulnerability particularly concerning is the ease with which it can be exploited. Sansec, a Dutch security company, has reported that the PHP object injection vulnerability can be triggered through any storefront request carrying a crafted CacheWarmer cookie. This cookie is then deserialized using PHP's native unserialize() function, which does not require any authentication or admin privileges. The consequence of this is PHP object injection (CWE-502), which, when combined with gadget chains from classes that Magento and its dependencies ship, escalates to remote code execution.
The potential impact of this vulnerability is vast, with approximately 6,000 stores running Mirasvit extensions identified by Sansec. However, the actual number is likely to be higher, considering that content delivery networks (CDNs) like Cloudflare mask installs. Thales-owned Imperva has further confirmed the threat by observing active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution by invoking functions such as system() and current() to execute arbitrary commands on the underlying server.
The targets of these attacks have primarily been gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The end goal of these exploitation efforts appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string.
This incident underscores the importance of staying vigilant and proactive in the face of evolving cybersecurity threats. It serves as a reminder that even popular and widely used software can have critical vulnerabilities, and it is crucial to keep software up to date and implement robust security measures to protect against potential exploits. As the cybersecurity landscape continues to evolve, organizations and individuals must remain adaptable and informed to effectively defend against emerging threats.
