CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild

CISA confirmed active exploitation of a critical remote code execution vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 on 3 June, adding CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue. The vulnerability carries a CVSS score of 9.8 and requires no authentication — an attacker can achieve arbitrary PHP code execution on a Magento 2 server simply by sending a crafted HTTP request with a malicious serialised cookie value.

The patch (Mirasvit FPC Warmer v1.11.12 and later) was released on 25 May. The KEV addition gives federal agencies until 24 June to remediate; for commercial organisations, exploitation in the wild means immediate patching is warranted.

Vulnerability Mechanics

CVE-2026-45247 is a PHP object deserialization vulnerability in the CacheWarmer cookie handling code of the Mirasvit Full Page Cache Warmer extension. The extension deserialises user-supplied data from a cookie without adequate validation, accepting an attacker-controlled serialised PHP object.

PHP deserialization attacks exploit the language’s object serialisation mechanism. When PHP deserialises an object, it invokes the class’s __wakeup() or __destruct() magic methods automatically. If the deserialised data contains a gadget chain — a sequence of legitimate PHP class methods that, when chained together via serialisation, produce arbitrary code execution — the attacker achieves RCE without executing any injected PHP code directly.

The Magento 2 codebase includes numerous PHP classes with exploitable gadget chains, making deserialization vulnerabilities particularly reliable for achieving code execution. The CacheWarmer cookie is processed before authentication is checked, meaning the exploit path is fully unauthenticated.

CVSS 9.8 breakdown:

• Attack vector: Network (no local access required)
• Attack complexity: Low (no special conditions or timing)
• Privileges required: None (unauthenticated)
• User interaction: None
• Impact: Confidentiality HIGH, Integrity HIGH, Availability HIGH

Affected Versions

Mirasvit Full Page Cache Warmer for Magento 2, all versions prior to v1.11.12.

This extension is available through Magento Marketplace and direct vendor distribution. Organisations using Mirasvit FPC Warmer should check the installed extension version in their Magento admin panel (Stores → Configuration → Advanced → Advanced → Module Output) or via bin/magento module:status | grep Mirasvit.

Observed Exploitation

Active exploitation was confirmed prior to CISA’s KEV addition. The deserialization gadget chains for Magento 2 are well-documented in public exploit databases. Following the KEV confirmation, organisations can assume any internet-exposed Magento 2 instance running unpatched Mirasvit FPC Warmer has been actively scanned and targeted.

Typical post-exploitation objectives in Magento compromises include credit card skimmer injection (Magecart-style), customer PII extraction, and administrative credential harvesting. Magento stores contain payment card data, customer personally identifiable information, and order histories — high-value targets for financial and identity theft actors.

Recommended Actions

• Update Mirasvit FPC Warmer to v1.11.12 or later immediately. The patch is available from the Mirasvit vendor portal and Magento Marketplace.

• If immediate patching is not possible: Disable the Mirasvit_CacheWarmer extension (bin/magento module:disable Mirasvit_CacheWarmer) until the patch can be applied. This removes the vulnerable code path at the cost of cache warming functionality.

• Audit for compromise indicators: Review Magento server logs for unusual PHP processes spawned by the web server user, unexpected cron jobs, or injected JavaScript in theme files. Check pub/static/ and pub/media/ directories for unexpected PHP files (a common webshell drop location).

• Review all Mirasvit extensions: Organisations using Mirasvit products should audit all installed Mirasvit extensions for pending security updates — deserialization vulnerabilities often affect multiple related extensions when the underlying code pattern is shared.

• Web Application Firewall rules: WAF rules targeting PHP serialised object patterns in cookie values (O:\d+:") can provide a compensating control while the patch is applied. Many WAF vendors have released signatures for CVE-2026-45247.

Broader Pattern

CVE-2026-45247 is the fourth CISA KEV addition involving PHP deserialization in Magento or related eCommerce extensions in 2025–2026. The pattern reflects a structural weakness in the PHP/Magento extension ecosystem: third-party extensions frequently handle user-supplied data with the same deserialisation mechanisms as core Magento code, but without the security review attention that the core platform receives. A Magento installation’s actual attack surface is a function of every installed extension, not just the core platform version.