Vulnerability
Exploitation Wave
Mirasvit Cache Warmer Exploitation on Magento Stores
Updated 04.06.2026 10:19
Case score 66
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 66
- Main story score
- 63
- Related evidence lift
- +3 / 20
- Contributing updates
- 1
- Context updates
- 0
Top contributors
- Vulnerability Defines the exploited flaw, affected versions, patch status, KEV listing, and federal remediation deadline. main
- Exploitation Wave Adds observed exploitation behavior, targeting context, and technical indicators from attack traffic. contributes
Members 2
First seen 04.06.2026 10:19
Latest activity 04.06.2026 10:19
Overview
Active exploitation of **CVE-2026-45247** in **Mirasvit Cache Warmer** has turned a critical Magento extension flaw into a live remote-code-execution risk for exposed storefronts. The vulnerability affects versions before **1.11.12** and abuse centers on crafted serialized PHP objects sent through the **CacheWarmer** cookie, with observed requests attempting to validate code execution on vulnerable servers.
The activity has progressed from patch release into confirmed in-the-wild exploitation and **CISA KEV** action. Mirasvit released fixes on **May 25, 2026**, and Federal Civilian Executive Branch agencies were then given a **June 6, 2026** deadline to remediate, while available evidence still leaves the full reach, victim list, and actor identity unresolved.
Latest development Open development history Imperva observes serialized PHP object payloads targeting vulnerable Magento stores Imperva observed active attack activity against vulnerable Magento storefronts using malicious HTTP requests that carried serialized PHP object payloads in the CacheWarmer cookie; the observed payloads were base64-encoded objects designed to trigger PHP object deserialization and execute commands such as system() and current(), with gaming and business sites in the U.S., the U.K., France, and Australia among the primary targets.
-
CISA adds CVE-2026-45247 to the KEV catalog after active exploitation
CISA added CVE-2026-45247, a CVSS 9.8 deserialization of untrusted data flaw in Mirasvit Cache Warmer for Magento, to the Known Exploited Vulnerabilities catalog after reports of active exploitation in the wild. Imperva also observed malicious HTTP requests carrying serialized PHP object payloads that attempted remote code execution on affected servers.
Attackers are actively exploiting **CVE-2026-45247** in **Mirasvit Cache Warmer** for **Magento**, exposing unpatched storefronts to unauthenticated remote code execution. The flaw affects versions before **1.11.12** and stems from unsafe deserialization of attacker-controlled data supplied through the **CacheWarmer** cookie. Available technical details describe crafted serialized PHP object payloads delivered in HTTP requests, with exploitation attempting to execute arbitrary PHP code on the server.
Observed attack traffic moved beyond disclosure and patching into live exploitation activity against vulnerable Magento environments. The requests used base64-encoded serialized objects and included attempts to invoke functions such as **system()** and **current()**, indicating validation of code execution rather than simple probing. Available reporting places activity against gaming and business sites and notes observations in the **U.S., U.K., France, and Australia**, but it does not quantify how many stores were compromised.
Mirasvit released fixes on **May 25, 2026**, and **CISA** later added **CVE-2026-45247** to the **Known Exploited Vulnerabilities** catalog after in-the-wild exploitation was confirmed. That KEV action set a **June 6, 2026** remediation deadline for Federal Civilian Executive Branch agencies and raises urgency for any organization still running affected versions. Available evidence confirms exploitation attempts and patch availability, but it does not identify a threat actor, name compromised organizations, or establish the full reach of exposed installations.
Signals
Impact signals
Exploitation
CVEs/products
Remediation
Technical intelligence
Existing Case dataMember happenings
Vulnerability
Mirasvit Cache Warmer RCE (CVE-2026-45247)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
CVSS
9.8 Critical
Patch
Patch Available
Vulnerability
Mirasvit Cache Warmer RCE (CVE-2026-45247)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
Magento exploitation wave for CVE-2026-45247
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
Magento exploitation wave for CVE-2026-45247
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available