Mirasvit Cache Warmer Exploitation on Magento Stores

Attackers are actively exploiting **CVE-2026-45247** in **Mirasvit Cache Warmer** for **Magento**, exposing unpatched storefronts to unauthenticated remote code execution. The flaw affects versions before **1.11.12** and stems from unsafe deserialization of attacker-controlled data supplied through the **CacheWarmer** cookie. Available technical details describe crafted serialized PHP object payloads delivered in HTTP requests, with exploitation attempting to execute arbitrary PHP code on the server. Observed attack traffic moved beyond disclosure and patching into live exploitation activity against vulnerable Magento environments. The requests used base64-encoded serialized objects and included attempts to invoke functions such as **system()** and **current()**, indicating validation of code execution rather than simple probing. Available reporting places activity against gaming and business sites and notes observations in the **U.S., U.K., France, and Australia**, but it does not quantify how many stores were compromised. Mirasvit released fixes on **May 25, 2026**, and **CISA** later added **CVE-2026-45247** to the **Known Exploited Vulnerabilities** catalog after in-the-wild exploitation was confirmed. That KEV action set a **June 6, 2026** remediation deadline for Federal Civilian Executive Branch agencies and raises urgency for any organization still running affected versions. Available evidence confirms exploitation attempts and patch availability, but it does not identify a threat actor, name compromised organizations, or establish the full reach of exposed installations.