{"id":1155,"date":"2026-06-04T08:27:32","date_gmt":"2026-06-04T08:27:32","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1155"},"modified":"2026-06-04T08:27:32","modified_gmt":"2026-06-04T08:27:32","slug":"cisa-adds-exploited-magento-rce-flaw-cve-2026-45247-to-kev-catalog","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1155","title":{"rendered":"CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Jun 04, 2026<\/span><\/span>Web Security \/ Vulnerability<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added<\/a> a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.<\/p>\n

The vulnerability, tracked as CVE-2026-45247<\/a><\/b> (CVSS score: 9.8), is a case of deserialization of untrusted data that could be exploited to execute arbitrary PHP code on an affected server.<\/p>\n

\u00abMirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie,\u00bb CISA said<\/a>.<\/p>\n

The shortcoming impacts all versions of the extension prior to version 1.11.12. Patches for the were released on May 25, 2026.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The addition of CVE-2026-45247 to the KEV catalog comes days after Sansec said the PHP object injection vulnerability could be exploited by means of any storefront request carrying a crafted CacheWarmer cookie, which then deserializes part of the cookie value with PHP’s native unserialize() function without requiring any authentication or admin privileges.<\/p>\n

<\/p>\n

\u00abBecause that value comes straight from the client, an attacker controls the objects PHP reconstructs,\u00bb the Dutch security company said<\/a>. \u00abThis is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution.\u00bb<\/p>\n

Sansec said it identified about 6,000 stores running Mirasvit extensions, although the exact number is likely to be higher given that content delivery networks (CDNs) like Cloudflare mask installs.<\/p>\n

Thales-owned Imperva has since disclosed it has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests.<\/p>\n

\u00abObserved payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains,\u00bb the company said<\/a>. \u00abThe payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands designed to validate successful code execution.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The activity has primarily singled out gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. It’s currently not known who is behind the exploitation efforts, although the end goal appears to be to flag vulnerable Magento environments and confirm remote code execution is possible.<\/p>\n

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker \u00abCacheWarmer:\u00bb followed by a Base64-encoded string.<\/p>\n

\u00abSerialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt,\u00bb Sansec added.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Jun 04, 2026Web Security \/ Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache…<\/p>\n","protected":false},"author":1,"featured_media":1156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[200,204,62,1899,128,70,203,793,316],"class_list":["post-1155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-adds","tag-catalog","tag-cisa","tag-cve202645247","tag-exploited","tag-flaw","tag-kev","tag-magento","tag-rce"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1155"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1156"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}