Magento and eCommerce Platform Security: Knowing What You Run and What You Owe Customers

The CISA KEV addition of CVE-2026-45247 creates a specific compliance problem for organisations that operate Magento eCommerce infrastructure: CISA’s Binding Operational Directive 22-01 requires federal civilian agencies to remediate KEV-listed vulnerabilities within the specified timeframe (24 June for CVE-2026-45247). For commercial organisations, the KEV is not directly binding, but it is widely used as a basis for contractual and regulatory remediation requirements, including PCI DSS vulnerability management controls.

The remediation is technically straightforward — update the Mirasvit Full Page Cache Warmer extension. The challenge is that many organisations cannot confidently answer whether the vulnerable extension is installed, which version is running, and whether the update has been successfully applied.

The Magento Inventory Challenge

Magento deployments are complex assets. Unlike a single-vendor SaaS platform where the vendor controls the version state, a Magento deployment combines:

• Adobe Commerce / Magento Open Source core (version controlled via Composer)
• Adobe-published security patches (applied separately from full version upgrades)
• Third-party extensions (installed via Composer or manual file installation)
• Custom code (modifications to core or extension behaviour)
• Theme customisations

This stack means a Magento deployment’s effective security posture is determined by the intersection of all these components. The core platform version is a necessary but insufficient security data point — an up-to-date core platform running a compromised extension is vulnerable.

Building a Comprehensive Magento Asset Record

An accurate Magento asset record for security purposes includes:

1. Core version:

php bin/magento --version

2. Applied patches (for Adobe Commerce):

# Adobe Commerce only
php bin/magento patch:list --status=Installed

3. All installed modules and versions:

php bin/magento module:status --enabled

For version information:

composer show | grep "mirasvit\|vendor-name" | awk '{print $1, $2}'

4. Extension installation method: Extensions installed via Composer are tracked in composer.lock — use composer show --no-dev for a complete list with version pinning. Extensions installed by manual file copy are not tracked in Composer and must be discovered by directory enumeration in app/code/ and vendor/.

5. PHP version and web server:

php --version
nginx -v 2>&1 || apache2 -v 2>&1

PHP version affects which deserialization mitigation options are available.

PCI DSS Implications

Organisations that accept payment cards via Magento are subject to PCI DSS requirements for their cardholder data environment (CDE). CVE-2026-45247’s CVSS 9.8 score and active exploitation status have direct PCI DSS implications:

PCI DSS 6.3.3 requires that all software components are protected from known vulnerabilities by installing applicable security patches. For a CVSS 9.x vulnerability with a patch available, the maximum remediation period under PCI DSS 6.3.3 is one month for critical vulnerabilities.

PCI DSS 6.4.1 requires an inventory of bespoke and custom software and their associated authentication. Third-party extensions installed in a Magento CDE should be included in this inventory.

PCI DSS 11.3 requires internal and external vulnerability scanning. The extension inventory audit described above should be part of a quarterly internal scan scope review.

For PCI DSS compliance purposes, the effective date of awareness of CVE-2026-45247 as actively exploited is the CISA KEV addition date (3 June 2026). Remediation documentation should record the date of awareness, the date the patch was applied, and the person responsible for the remediation decision.

Magento Platform End-of-Life Tracking

Beyond the current CVE, organisations should track their Magento platform’s end-of-life status:

Magento installations on end-of-life versions no longer receive security patches from Adobe — including for future critical vulnerabilities. The Magento end-of-life status is a material asset security risk that should be tracked in the asset record and included in the vulnerability management programme’s remediation backlog.