Listen to this Post
Introduction
A newly disclosed security vulnerability affecting one of Magento’s most widely used performance extensions has rapidly become a serious concern for online businesses worldwide. The flaw, which allows attackers to remotely execute malicious code without authentication, has already attracted active exploitation attempts in the wild. Following mounting evidence of attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, placing it among the most urgent security threats organizations must address immediately.
The issue highlights the growing risks facing e-commerce platforms, where a single vulnerable extension can expose thousands of online stores to complete server compromise, data theft, and operational disruption.
CISA Adds Critical Magento Extension Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog after confirming active attacks targeting vulnerable systems.
The flaw affects Mirasvit Cache Warmer, a popular Magento full-page cache extension designed to improve website performance and reduce server load. Security researchers assigned the vulnerability a critical CVSS score of 9.8, reflecting the severe impact that successful exploitation can have on affected environments.
According to CISA, attackers can exploit the weakness by sending a specially crafted CacheWarmer cookie to a vulnerable Magento storefront. Because the application improperly processes untrusted serialized data, attackers can trigger remote code execution and gain control over the underlying server.
Understanding the Dangerous Deserialization Flaw
At the core of the vulnerability is a classic but highly dangerous security weakness known as PHP Object Deserialization.
The extension processes user-supplied cookie values and passes portions of that data directly into PHP’s native unserialize() function. Since the input originates from an external user and is not adequately validated, attackers can manipulate the serialized object structure to force PHP into reconstructing malicious objects.
This vulnerability effectively gives attackers control over the objects created during execution. When combined with existing gadget chains present within Magento and its dependencies, the flaw escalates into full remote code execution.
Security experts describe this attack path as particularly dangerous because it requires no login credentials, no administrative access, and no interaction from store administrators.
How Attackers Are Exploiting CVE-2026-45247
Researchers from Sansec revealed that exploitation can occur through any storefront request carrying a malicious CacheWarmer cookie.
The attack mechanism is remarkably simple. Threat actors craft a serialized PHP object, encode it in Base64 format, and insert it into the cookie value. Once the vulnerable server processes the request, the unserialize operation reconstructs attacker-controlled objects.
These objects then trigger gadget chains already present within Magento’s software ecosystem. Through these chains, attackers can invoke dangerous PHP functions and execute arbitrary operating system commands.
Because the attack works through normal web requests, malicious traffic can blend into legitimate website activity, making detection significantly more challenging.
Imperva Observes Active Attacks in the Wild
Security company Imperva has confirmed ongoing exploitation attempts targeting vulnerable Magento installations.
Researchers observed attackers delivering Base64-encoded serialized object payloads through crafted HTTP requests. Analysis of the attacks revealed multiple attempts to trigger PHP object deserialization routines and execute arbitrary code.
Several payloads were designed to invoke functions such as system() and current(), enabling command execution directly on compromised servers.
In multiple incidents, attackers initially deployed harmless test commands to verify successful exploitation before potentially moving toward more destructive activities. This behavior suggests that threat actors are currently identifying vulnerable environments and validating attack success rates.
Thousands of Online Stores Potentially at Risk
Sansec estimates that approximately 6,000 online stores currently utilize Mirasvit extensions, though the true figure may be considerably higher.
The presence of Content Delivery Networks such as Cloudflare complicates accurate internet-wide scanning because many Magento installations remain hidden behind reverse proxy services.
As a result, the total attack surface could extend well beyond current estimates.
Given
Gaming and Business Websites Become Primary Targets
Current attack activity appears to focus heavily on gaming platforms and business-oriented websites.
Threat intelligence data indicates that organizations located in the United States, United Kingdom, France, and Australia have experienced the highest concentration of attacks.
While attribution remains unclear, researchers believe the primary objective is currently reconnaissance and vulnerability validation. Attackers appear interested in determining which Magento environments remain unpatched and whether remote code execution can be successfully achieved.
Such reconnaissance often serves as a precursor to broader malicious campaigns involving malware deployment, credential theft, cryptojacking, web skimming, or ransomware operations.
Patch Availability and Government Response
Mirasvit released security updates addressing the vulnerability on May 25, 2026.
All versions prior to 1.11.12 are considered vulnerable and should be upgraded immediately.
Due to active exploitation, Federal Civilian Executive Branch agencies have been instructed to remediate affected systems no later than June 6, 2026.
The accelerated remediation timeline underscores the severity of the threat and reflects growing concern among cybersecurity authorities regarding the speed at which attackers are weaponizing newly disclosed vulnerabilities.
Indicators of Compromise and Detection Guidance
Organizations are strongly encouraged to inspect incoming requests for suspicious CacheWarmer cookie values.
Researchers note that serialized PHP objects often generate Base64 strings beginning with:
Tz
Qz
YT
A particularly strong indicator of malicious activity is a CacheWarmer cookie containing:
CacheWarmer:(Tz|Qz|YT)
Security teams should immediately investigate systems generating such requests and review web server logs for unusual storefront traffic patterns.
Additional monitoring should focus on unexpected PHP process activity, unauthorized file modifications, suspicious command execution, and outbound connections initiated by Magento servers.
What Undercode Say:
The exploitation of CVE-2026-45247 demonstrates a recurring problem within the PHP ecosystem where insecure deserialization vulnerabilities continue to appear despite years of security awareness.
One of the most alarming aspects is the complete absence of authentication requirements.
Attackers do not need administrator accounts.
Attackers do not need stolen credentials.
Attackers do not need insider access.
They simply need to send a crafted HTTP request.
This dramatically lowers the barrier to entry.
The vulnerability is also highly attractive because Magento environments frequently process valuable commercial data.
A compromised store may expose customer records.
It may expose order histories.
It may expose internal business information.
It may even provide access to integrated payment systems.
Another concern is the growing automation of exploitation.
Modern threat actors rarely attack manually.
Instead, they deploy scanners capable of probing millions of websites within hours.
Once a proof-of-concept becomes public, mass exploitation often follows rapidly.
The observed test commands reported by Imperva are particularly revealing.
Threat actors are validating exploitation reliability.
This usually occurs before larger-scale malicious deployment.
Historically, such activity often precedes web shell installation.
It may also lead to malware deployment.
Cryptocurrency mining operations are another common outcome.
Ransomware operators routinely leverage remote code execution vulnerabilities as initial access vectors.
The estimated 6,000-store footprint should be treated as a minimum estimate.
Cloudflare and other reverse proxies significantly obscure internet-facing services.
The real exposure level may be much larger.
The flaw also highlights the dangers of unsafe PHP functions.
Developers continue relying on unserialize() despite repeated industry warnings.
Modern serialization alternatives exist.
JSON-based structures generally provide safer implementations.
Organizations should also evaluate third-party extensions with the same rigor applied to core software.
Many breaches originate from plugins rather than the primary platform itself.
Supply chain risk continues to expand.
Security audits should include extension reviews.
Runtime monitoring should detect anomalous PHP execution.
Behavioral analytics can help identify exploitation before full compromise occurs.
Web application firewalls may reduce exposure.
However, patching remains the only reliable mitigation.
This incident serves as another reminder that performance-enhancing extensions can inadvertently become high-value attack vectors.
The combination of remote code execution, public exploitability, and active attacks places CVE-2026-45247 among the most dangerous Magento vulnerabilities disclosed in recent years.
Deep Analysis: Linux and Security Operations Commands
Security teams investigating potential compromise can utilize several commands during incident response:
Log Inspection
grep "CacheWarmer" /var/log/nginx/access.log grep "CacheWarmer" /var/log/apache2/access.log
Search for Suspicious PHP Activity
find /var/www/html -name ".php" -mtime -7
Detect Recently Modified Files
find /var/www/html -type f -mtime -3
Monitor Active Processes
ps aux | grep php
Review Network Connections
netstat -tulpn ss -tulpn
Identify Unexpected Scheduled Tasks
crontab -l ls -la /etc/cron
Search for Web Shell Indicators
grep -R "system(" /var/www/html/
grep -R "exec(" /var/www/html/
grep -R "shell_exec(" /var/www/html/
Check User Activity
last lastlog who
Integrity Monitoring
sha256sum critical_file.php
These commands can assist responders in detecting post-exploitation activity, unauthorized modifications, and persistence mechanisms following a successful attack.
✅ CISA officially added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog due to evidence of active exploitation.
✅ The vulnerability is a PHP deserialization flaw capable of unauthenticated remote code execution through a crafted CacheWarmer cookie.
✅ Security researchers and Imperva independently observed exploitation attempts using serialized PHP object payloads, supporting the assessment that the threat is active and not merely theoretical.
Prediction
(+1) Organizations that rapidly deploy version 1.11.12 or later will significantly reduce exposure and prevent widespread compromise.
(+1) Increased awareness around unsafe PHP deserialization practices may encourage stronger security reviews for Magento extensions across the ecosystem.
(-1) Public disclosure and KEV inclusion will likely accelerate automated scanning and mass exploitation campaigns targeting unpatched stores.
(-1) Additional financially motivated threat groups may adopt the exploit for malware deployment, credential theft, and ransomware-related operations in the coming weeks.
(-1) E-commerce businesses that delay patching could face full server compromise, data exposure, and operational disruption as exploitation activity expands globally.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
