The US cybersecurity agency CISA on Wednesday urged federal agencies to immediately patch a critical-severity vulnerability in the Mirasvit Full Page Cache Warmer for Magento 2 extension that has been exploited in the wild for remote code execution (RCE).
Cache Wormer monitors a page’s cache status and automatically adds the latest version of the page to the cache to speed up loading and improve page rankings.
The exploited bug, tracked as CVE-2026-45247 (CVSS score of 9.8), is described as a PHP object injection vulnerability that can be exploited remotely, without authentication, to execute arbitrary code on Magento and Adobe Commerce servers.
Attackers can exploit the Mirasvit flaw via crafted serialized PHP objects injected into the CacheWarmer cookie, which are deserialized without restricting the classes that may be instantiated.
“An attacker controls the objects PHP reconstructs. This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution,” Sansec notes.
According to the company, thousands of Magento and Adobe Commerce stores are running the Mirasvit Cache Warmer extension. All stores using an extension iteration before version 1.11.12 are potentially exposed to attacks.
The CVE was publicly disclosed on May 26. According to Imperva, threat actors started exploiting it for RCE shortly after disclosure.
On Wednesday, CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch within three days, in line with the Binding Operational Directive (BOD) 22-01.
While BOD 22-01 only applies to federal agencies, all organizations are advised to update their Mirasvit Cache Warmer installations to version 1.11.12 or newer, which contain patches for the exploited flaw.
According to Sansec, administrators can identify potential compromises by checking for storefront requests with a CacheWarmer cookie containing the marker CacheWarmer: and a base64 string.
“Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt,” Sansec explains.
Related: Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs
Related: Organizations Warned of Exploited Linux Kernel Vulnerability
Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related: Oracle WebLogic Vulnerability Exploited in the Wild
