Summarize with:

Share
CVE-2026-45247 is a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. Public reporting says the bug can let unauthenticated attackers send a crafted CacheWarmer cookie that reaches PHP deserialization and can lead to remote code execution on exposed storefronts. The issue is more urgent because CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 3, 2026, confirming active exploitation concerns rather than a purely theoretical bug.
For defenders, this is a high-priority edge application problem. The weakness sits in a public-facing e-commerce path, requires no login, and affects a plugin that some stores may inherit through broader Mirasvit packages. If attackers land code execution on a Magento host, the follow-on exploit path can include webshell deployment, payment-page tampering, customer-data exposure, and deeper compromise of adjacent systems.
Sansec disclosed the flaw on May 26, 2026 after reporting it privately to Mirasvit. According to the advisory, vulnerable versions of Cache Warmer process attacker-controlled serialized data from the CacheWarmer cookie. With a suitable gadget chain, that input can be converted into code execution on the server.
The public timeline is short and important:
1.11.12That sequence matters because it means patch details and exploit logic have likely become easier for attackers to study. Once a deserialization flaw in a public storefront component is understood, scanning and mass exploitation can scale quickly.
This is not an admin-only weakness. The reported attack vector uses a cookie on storefront requests, so exposed web nodes, WAF policies, and application logging all become part of the detection and containment story.
Sansec noted that Cache Warmer is bundled with several Mirasvit packages. That increases the chance of hidden exposure, especially in stores with older extension bundles, inherited agency builds, or weak software inventory discipline.
If an attacker reaches code execution on the app tier, the next steps often target skimmers, admin credential theft, cron persistence, or staging points for broader lateral movement. This is where segmentation, hardened admin access, and strong incident response discipline matter more than a simple patch-only mindset.
NVD describes the flaw as affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. Mirasvit's own changelog confirms the fixed branch was released on May 25, 2026. Any merchant or service provider running an earlier build should treat the store as potentially exposed until verified otherwise.
Because some teams manage multiple storefronts and packaged extension sets, it is worth checking all production, staging, and disaster-recovery environments instead of validating only the main revenue site.
Upgrade the Cache Warmer extension immediately. If the plugin is included through a broader package, verify the exact installed module version instead of assuming the meta-package resolved it correctly.
CacheWarmer cookie activitySansec highlighted a useful detection clue: malicious requests may include a CacheWarmer: prefix followed by a base64-encoded serialized payload. Review reverse-proxy, CDN, WAF, and origin logs for abnormal cookie values, especially ones beginning with patterns associated with serialized PHP objects.
Check for unexpected PHP files in web-accessible directories, suspicious cron entries, unusual outbound connections, modified payment templates, or admin-side persistence. Remote code execution on a commerce node should trigger full compromise assessment, not just a patch-and-move-on workflow.
Limit admin panels, SSH, database access, and internal services reachable from the application tier. Strong network segmentation and strict access control reduce how far a storefront compromise can spread.
If the environment already uses file-integrity monitoring, CSP reporting, payment-page monitoring, or external store scanners, review recent alerts around the disclosure window. For Magento teams, the real damage often shows up after initial access, not during it.
Start with three questions:
CacheWarmer cookie values before patching?A lightweight hunt can combine WAF logs, origin logs, EDR telemetry, and file-integrity events for the same host group. Teams should also compare timestamps around the public disclosure date and the June 3, 2026 KEV addition, because those moments often drive opportunistic scanning spikes.
CVE-2026-45247 is the kind of bug that turns a performance-oriented extension into an emergency attack surface. The lesson is not only "patch faster." It is also that e-commerce stacks need tighter component inventory, better extension governance, and clearer incident playbooks for third-party modules running on internet-facing revenue systems.
When a public storefront plugin moves into KEV territory, the right response is to treat it like an active intrusion risk: patch, hunt, validate integrity, and assume the attacker may try to persist beyond the original request path.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
Cloud & Application SecurityCVE-2026-45829: ChromaDB Pre-Auth RCE Risk in AI Stacks | 2026 Executive Summary CVE-2026-45829 is a critical ChromaDB flaw that can let unauthenticated attacke...
Cloud & Application SecurityLiteLLM SQL injection flaw puts AI gateways on the front line CVE-2026-42208 matters because it turns an AI gateway into a high-value choke point for attackers....
Cloud & Application SecurityVishing and SSO abuse are accelerating rapid SaaS extortion The most dangerous part of modern SaaS intrusions is not always malware. Sometimes it is speed, trus...