The recent addition of a critical vulnerability impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog is a significant development in the cybersecurity landscape. This vulnerability, tracked as CVE-2026-45247, carries a CVSS score of 9.8, indicating its potential for severe impact. The issue stems from the deserialization of untrusted data, which can be exploited to execute arbitrary PHP code on affected servers, posing a serious threat to web security.
What makes this particular vulnerability concerning is its active exploitation in the wild. Security firm Sansec reported that the PHP object injection vulnerability can be exploited through any storefront request carrying a crafted CacheWarmer cookie, which then deserializes part of the cookie value without requiring authentication or admin privileges. This is a critical flaw, as it allows attackers to control the objects PHP reconstructs, leading to PHP object injection (CWE-502). When combined with gadget chains from classes that Magento and its dependencies ship, object injection escalates to remote code execution, a highly dangerous scenario.
Thales-owned Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. These payloads are designed to trigger PHP Object Deserialization and achieve remote code execution by invoking functions like system() and current() to execute arbitrary commands on the underlying server. The targets of these attacks have primarily been gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. The end goal of these exploitation efforts appears to be to flag vulnerable Magento environments and confirm remote code execution is possible.
Given the active exploitation of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. Site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker 'CacheWarmer:' followed by a Base64-encoded string. This is a strong indicator of an exploitation attempt, as serialized PHP objects base64-encode to values starting with 'Tz', 'Qz', or 'YT'.
This incident highlights the importance of staying vigilant and proactive in the face of evolving cybersecurity threats. It also underscores the need for organizations to regularly update their software and security measures to protect against known vulnerabilities. As the cybersecurity landscape continues to evolve, it is crucial to stay informed and take appropriate actions to safeguard sensitive data and systems.
