Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Exploitation Wave

Mirasvit Cache Warmer Exploitation on Magento Stores

Updated 04.06.2026 10:19
Case score 66
Members 2 First seen 04.06.2026 10:19 Latest activity 04.06.2026 10:19

Overview

Active exploitation of **CVE-2026-45247** in **Mirasvit Cache Warmer** has turned a critical Magento extension flaw into a live remote-code-execution risk for exposed storefronts. The vulnerability affects versions before **1.11.12** and abuse centers on crafted serialized PHP objects sent through the **CacheWarmer** cookie, with observed requests attempting to validate code execution on vulnerable servers. The activity has progressed from patch release into confirmed in-the-wild exploitation and **CISA KEV** action. Mirasvit released fixes on **May 25, 2026**, and Federal Civilian Executive Branch agencies were then given a **June 6, 2026** deadline to remediate, while available evidence still leaves the full reach, victim list, and actor identity unresolved.
Latest development Open development history 1 earlier development Imperva observes serialized PHP object payloads targeting vulnerable Magento stores Imperva observed active attack activity against vulnerable Magento storefronts using malicious HTTP requests that carried serialized PHP object payloads in the CacheWarmer cookie; the observed payloads were base64-encoded objects designed to trigger PHP object deserialization and execute commands such as system() and current(), with gaming and business sites in the U.S., the U.K., France, and Australia among the primary targets.
  1. Earlier development

    CISA adds CVE-2026-45247 to the KEV catalog after active exploitation

    CISA added CVE-2026-45247, a CVSS 9.8 deserialization of untrusted data flaw in Mirasvit Cache Warmer for Magento, to the Known Exploited Vulnerabilities catalog after reports of active exploitation in the wild. Imperva also observed malicious HTTP requests carrying serialized PHP object payloads that attempted remote code execution on affected servers.

Signals

Impact signals
Exploitation
CVEs/products
Remediation

Technical intelligence

Existing Case data

Member happenings

Vulnerability Mirasvit Cache Warmer RCE (CVE-2026-45247)
Updated 04.06.2026 10:19 Lead Contribution 63
Exploitation Active Exploitation Exploit No Known Public Exploit CVSS 9.8 Critical Patch Patch Available

**CVE-2026-45247** is a critical **deserialization of untrusted data** flaw in **Mirasvit Cache Warmer** that enables **unauthenticated remote code execution** on affected Magento servers. The vulnerability affects versions **prior to 1.11.12** and is being **actively exploited in the wild**. Fixes were released on **May 25, 2026**.

Exploitation Wave Magento exploitation wave for CVE-2026-45247
Updated 04.06.2026 10:19 Scoring Support Contribution 3
Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **remote code execution**. The wave has primarily targeted **gaming and business sites** and has been seen across the **U.S., U.K., France, and Australia**. Imperva reported that attackers are using the **CacheWarmer** cookie to deliver payloads and test whether code execution succeeds. **CISA** added the flaw to the **KEV catalog**, and unpatched versions prior to **1.11.12** remain exposed.