Executive Summary
In early June 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. This critical vulnerability, with a CVSS score of 9.8, affects Mirasvit's Full Page Cache Warmer extension for Magento 2 versions prior to 1.11.12. The flaw allows unauthenticated attackers to execute arbitrary PHP code on affected servers by sending crafted serialized PHP objects via the CacheWarmer cookie. Exploitation has been observed targeting gaming and business websites, particularly in the U.S., U.K., France, and Australia. Organizations are urged to apply the provided patches by June 6, 2026, and audit for suspicious CacheWarmer cookie values indicative of exploitation attempts.
The inclusion of CVE-2026-45247 in the KEV catalog underscores the persistent threat posed by deserialization vulnerabilities in widely used web applications. This incident highlights the importance of timely patching and vigilant monitoring to prevent unauthorized code execution and potential data breaches.
Why This Matters Now
The active exploitation of CVE-2026-45247 poses an immediate risk to organizations using vulnerable versions of the Mirasvit Cache Warmer extension. Prompt remediation is crucial to prevent potential data breaches and maintain the integrity of affected systems.
Attack Path Analysis
An unauthenticated attacker exploited a PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 by sending a crafted 'CacheWarmer' cookie, leading to remote code execution. Upon gaining initial access, the attacker escalated privileges by leveraging existing gadget chains within Magento and its dependencies. The attacker then moved laterally within the network to access other systems. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker deployed ransomware, encrypting critical data and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited a PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 by sending a crafted 'CacheWarmer' cookie, leading to remote code execution.
Related CVEs
CVE-2026-45247
CVSS 9.8Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
Affected Products:
Mirasvit Full Page Cache Warmer for Magento 2 – < 1.11.12
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Server Software Component: Web Shell
Valid Accounts
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Critical exposure through Magento e-commerce platforms enabling remote code execution, lateral movement, and data exfiltration threatening customer payment and personal information.
Consumer Goods
High risk from compromised Magento storefronts allowing attackers to execute malicious code, intercept transactions, and steal consumer data through unencrypted traffic.
Fashion/Apparel
Significant vulnerability via online Magento stores enabling remote exploitation, privilege escalation, and customer data theft requiring immediate zero trust segmentation implementation.
Financial Services
Severe threat to payment processing systems through Magento RCE exploitation, demanding enhanced egress security, encrypted traffic controls, and PCI compliance reinforcement.
Sources
- CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Cataloghttps://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.htmlVerified
- Mirasvit Full Page Cache Warmer for Magento 2 Changeloghttps://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmerVerified
- Sansec Research on Mirasvit Cache Warmer Object Injectionhttps://sansec.io/research/mirasvit-cache-warmer-object-injectionVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access could have been constrained, potentially reducing the scope of the compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, potentially reducing the impact of the attack.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been constrained, potentially reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been limited, potentially reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data could have been constrained, potentially reducing data loss.
The deployment of ransomware could have been limited, potentially reducing operational disruption.
Impact at a Glance
Affected Business Functions
- E-commerce Platform
- Customer Data Management
- Order Processing
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of customer PII and payment information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploit attempts targeting known vulnerabilities.
- • Enforce zero trust segmentation to limit lateral movement within the network.
- • Deploy egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize threat detection and anomaly response systems to identify and respond to suspicious activities promptly.
- • Regularly update and patch all software components to mitigate known vulnerabilities.
