CISA Adds Critical Magento Mirasvit RCE to KEV…

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026. The flaw is a PHP object injection in the Mirasvit Cache Warmer plugin for Magento 2, enabling unauthenticated remote code execution (RCE) with active exploitation already underway.

CISA Adds Critical Magento Mirasvit RCE to KEV Catalog, Sets 72-Hour Patch Deadline

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, mandating that U.S. Federal Civilian Executive Branch (FCEB) agencies remediate the flaw by June 6. The vulnerability affects the Mirasvit Full Page Cache Warmer plugin for Magento 2—a widely used third-party e-commerce component—and carries a critical CVSS score of 9.8. The timeline reveals a dangerous exposure window: while the patch was released on May 25, the first in-the-wild exploits were observed as early as May 26. Ongoing attacks utilize base64-encoded serialized payloads to achieve unauthenticated remote code execution (RCE).

Key Takeaways

CISA added CVE-2026-45247 to the KEV catalog on June 3, 2026; the federal patching deadline is June 6 per BOD 22-01.
The attack vector is a PHP object injection (CWE-502) in the Mirasvit Full Page Cache Warmer plugin for Magento 2, affecting versions prior to 1.11.12.
Imperva has documented active exploitation using base64-encoded payloads that invoke system() and current() for remote command execution.
Sansec estimates approximately 6,000 stores have active Mirasvit extensions, though the actual number is likely higher due to CDN masking.

The Mechanism: From Serialized Objects to Remote Execution

The vulnerability lies in how the Mirasvit Full Page Cache Warmer plugin handles serialized data within HTTP requests to the storefront. An attacker injects controlled PHP objects that, upon deserialization via unserialize(), trigger gadget chains present within Magento's core classes and its dependencies. Sansec classified the flaw as a PHP object injection (CWE-502), stating: "An attacker controls the objects PHP reconstructs. This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution." Because there are no authentication requirements, every storefront endpoint exposed to the internet is a potential target.

Imperva, as cited by The Hacker News, documented payloads "containing base64-encoded serialized objects designed to trigger PHP Object Deserialization." The firm specified that "the payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands to validate successful code execution." The presence of these probing commands confirms that the campaign is active, systematic, and verifies compromise before proceeding with further actions.

Timeline: The 10-Day Gap Between Patch and Federal Alert

The patch for version 1.11.12 was released on May 25, 2026, according to Vulert and The Hacker News. Imperva recorded exploits "shortly after disclosure" on May 26. CISA's inclusion of the CVE in the KEV catalog on June 3 set a June 6 deadline for federal agencies. This 10-day interval between the patch and KEV inclusion—with active exploitation starting just one day after the fix—illustrates a recurring pattern in the Magento ecosystem: third-party extensions receive less scrutiny than the core platform, merchants fail to update promptly, and attackers monitor plugin vendor changelogs using automated tools.

The National Vulnerability Database assigns CVE-2026-45247 a CVSS 4.0 vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, confirming unauthenticated network access with high impact on confidentiality, integrity, and availability. The 9.8 CVSS score is corroborated by SecurityWeek, The Hacker News, and Thomas Harris, showing convergence across technical and journalistic sources.

Geography and Targets: Gaming and Business Sectors Hit First

The most heavily targeted sectors are gaming and business websites, with geographical concentrations in the United States, United Kingdom, France, and Australia, according to Vulert and The Hacker News. These targets are strategic: e-commerce platforms manage payment data, customer identities, and cash flows, amplifying the value of initial access. Sansec identified approximately 6,000 stores with active Mirasvit extensions, noting that "the exact number is likely higher as content delivery networks like Cloudflare mask installations." This figure represents estimated exposure rather than confirmed compromise; the total number of successfully breached sites remains unverified.

The risk of supply chain pivoting is inherent to Magento’s role as a B2B and B2C platform. A compromised store can serve as a vector for business customers, suppliers, or integrations with ERP and warehouse systems. While current reports do not document confirmed data breaches or ransomware deployments attributable to this CVE, the nature of RCE access makes such escalations technically plausible.

"An attacker controls the objects PHP reconstructs. This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution." — Sansec

Remediation and Mitigation

Immediately update Mirasvit Full Page Cache Warmer to version 1.11.12 or later (released May 25, 2026) on every exposed Magento 2 instance.
Inspect HTTP logs for requests containing suspicious base64 strings or calls to unserialize() within the Cache Warmer plugin context, specifically looking for attempts to invoke system() and current().
Audit staging, testing, and replica environments for vulnerable versions (< 1.11.12), especially if they share credentials or access with production systems.
Evaluate the exposure surface of all third-party extensions in the Magento stack; an updated core platform does not protect against obsolete plugins with execution privileges.

Why Magento Extensions Remain a Security Blind Spot

The modular architecture of Magento 2 allows third-party developers to extend the core via plugins distributed through marketplaces or direct channels, creating a fragmented attack surface. While Adobe, the core vendor, releases regular security updates with structured advisories, extension developers often operate with non-uniform disclosure cycles. In this case, the fix was issued via a changelog without a documented independent advisory. Merchants who rely solely on core platform updates remain exposed if a single plugin introduces an exploitable serializable class.

The CVE-2026-45247 case highlights an operational asymmetry: attackers have the tools to monitor popular plugin releases and build exploits within hours, while defenders must manually reconstruct their inventory of active extensions. Sansec’s estimate of 6,000 installations—with real exposure likely higher—suggests many operators are unaware they are even running the plugin. CISA’s 72-hour deadline is a political signal of severity; for the private sector, the equivalent urgency depends on stack visibility rather than regulatory compliance.

Frequently Asked Questions

Does this vulnerability affect Adobe Commerce or only Magento Open Source?

The flaw resides in the Mirasvit Full Page Cache Warmer plugin, a third-party extension compatible with both editions. The core platform, whether Adobe Commerce or Magento Open Source, is only vulnerable if the plugin is present in a version prior to 1.11.12.

Why did CISA impose only a 72-hour margin?

BOD 22-01 establishes automatic deadlines based on the date of entry into the KEV catalog. For CVEs added following specific exploitation events, the system assigns short windows when in-the-wild activity is documented and a patch is already available. The June 6, 2026, deadline is a calculated requirement for this entry, not an ad hoc assessment of remediation complexity.

Is a manual attack required, or do automated exploits exist?

The current dossier does not document a public proof-of-concept or automated toolkit. However, the payload structure observed by Imperva—base64-encoded serialized objects with test commands—indicates that attackers already possess functional implants, making patching a higher priority than searching for specific indicators.

Information has been verified against cited sources and is current as of the time of publication.

Sources

Sources and references