CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog after confirming that attackers are actively exploiting a critical remote code execution vulnerability in a widely deployed Magento extension — placing more than 150,000 e-commerce stores at immediate risk.
CVE-2026-45247: PHP Object Injection via Crafted Cookie Data
The vulnerability exists in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. An unauthenticated attacker sends a single HTTP request carrying a crafted CacheWarmer cookie that contains a serialized PHP object. Because the extension deserializes this data without adequate validation, the attacker’s object executes arbitrary code on the server — without requiring authentication or any user interaction.
How a Single Crafted Cookie Delivers Unauthenticated Server-Side Code Execution
PHP object injection through cookie deserialization is one of the most automation-friendly attack primitives available against web applications. An attacker requires nothing more than a standard HTTP client, knowledge of the target extension’s class structure, and the ability to send a crafted request. Sansec, which first reported the vulnerability, documented that the attack produces immediate server-side code execution — making it trivially compatible with mass scanning campaigns that automatically probe every publicly reachable Magento and Adobe Commerce instance for the presence of the vulnerable extension version.
Affected versions span all Mirasvit Cache Warmer releases prior to 1.11.12. Mirasvit released the patched version on May 25, 2026, but the manual update workflow typical of Magento extension management means a significant share of the 150,000-strong install base has not yet applied the fix. The ten-day window between patch release and CISA’s KEV confirmation that active exploitation is underway indicates that attackers moved quickly after the fix became available — a common pattern following patch-diff analysis.
Payment Skimmer Injection and the Full Scope of Post-Compromise Access
Successful exploitation delivers full server access on a Magento or Adobe Commerce instance. For e-commerce operators, the practical consequences extend far beyond typical server compromise. An attacker with remote code execution on a Magento store can read stored customer records, payment data, credit card tokens, admin credentials, and order histories. More damagingly, they can inject payment skimmer code — malicious JavaScript that silently captures customers’ payment card details at checkout and transmits them to an attacker-controlled server.
This skimmer injection capability means that a single exploitation event can yield ongoing payment card theft from every subsequent customer transaction, compounding the breach impact well beyond the initial intrusion window. E-commerce operators face both breach notification obligations under applicable data protection regulations and potential card brand compliance consequences if cardholder data is found to have been exfiltrated.
CISA KEV Addition and the Narrowing Patch Window
CISA added CVE-2026-45247 to the KEV catalog on June 3, 2026. The vulnerability carries a CVSS score of 9.8, reflecting the combination of unauthenticated access, trivial exploitation, and the severity of the resulting server compromise. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed critical vulnerabilities under defined deadlines; the commercial e-commerce operators who represent most of the 150,000 affected stores are not bound by BOD 22-01 but face the same active exploitation risk.
Magento and Adobe Commerce store operators running Mirasvit Cache Warmer prior to version 1.11.12 should update to version 1.11.12 immediately. Administrators should also audit server logs for evidence of exploitation attempts — specifically, anomalous CacheWarmer cookie values in HTTP request logs — and check admin account activity for unauthorized entries that may indicate a compromise already in progress.
