[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fR7Wxqd68WW99iVaIGOdUU7cvwzmK9fjOiF5mYAtpgVc":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"20d1649a-f5f6-4221-9471-74f3d4904442","CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog","cisa-adds-exploited-magento-rce-flaw-cve-2026-45247-to-kev-catalog-886f24","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted","CISA has added CVE-2026-45247, a critical remote code execution vulnerability in Mirasvit Cache Warmer (a Magento extension), to its Known Exploited Vulnerabilities catalog following confirmed active exploitation. The flaw is a PHP object deserialization vulnerability (CVSS 9.8) affecting all versions prior to 1.11.12 that allows unauthenticated attackers to execute arbitrary code via a crafted CacheWarmer cookie. Imperva has observed active attack campaigns primarily targeting gaming and business sites in the U.S., UK, France, and Australia, with FCEB agencies ordered to patch by June 6, 2026.","CISA adds critical Magento RCE flaw CVE-2026-45247 to KEV catalog after active exploitation.","CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog Ravie LakshmananJun 04, 2026Web Security \u002F Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted data that could be exploited to execute arbitrary PHP code on an affected server. \"Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie,\" CISA said. The shortcoming impacts all versions of the extension prior to version 1.11.12. Patches for the were released on May 25, 2026. The addition of CVE-2026-45247 to the KEV catalog comes days after Sansec said the PHP object injection vulnerability could be exploited by means of any storefront request carrying a crafted CacheWarmer cookie, which then deserializes part of the cookie value with PHP's native unserialize() function without requiring any authentication or admin privileges. \"Because that value comes straight from the client, an attacker controls the objects PHP reconstructs,\" the Dutch security company said. \"This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution.\" Sansec said it identified about 6,000 stores running Mirasvit extensions, although the exact number is likely to be higher given that content delivery networks (CDNs) like Cloudflare mask installs. Thales-owned Imperva has since disclosed it has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. \"Observed payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains,\" the company said. \"The payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands designed to validate successful code execution.\" The activity has primarily singled out gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries. It's currently not known who is behind the exploitation efforts, although the end goal appears to be to flag vulnerable Magento environments and confirm remote code execution is possible. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 6, 2026. To detect potential exploitation efforts, site owners are advised to audit for storefront requests that carry a CacheWarmer cookie whose value contains the marker \"CacheWarmer:\" followed by a Base64-encoded string. \"Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt,\" Sansec added. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CISA, cybersecurity, Imperva, Magento, PHP, remote code execution, Vulnerability, Web Security ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fcisa-adds-exploited-magento-rce-flaw.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi8P5o_wfJsxsTaxY4OONIm2y5N5x9heoFeLchfLU13YA36tGQGJtu00tOCQSKhCTBFobAAWfhXLtNGMu8ZCG7ozeLVggi1tnQVRK_1mJHd6eq1YSb5AlRZq5eDp3rGDL2Uli_b3aBPMBsLfMJ5QEm_XW1MF43_dcCf64rSbVrhsUakhaOAn5-GOmuLiq0s\u002Fs1600\u002Fmag.jpg","2026-06-04T07:19:33+00:00","2026-06-04T10:00:27.338506+00:00",9,[18,21,23,26,28,30],{"name":19,"type":20},"Mirasvit Cache Warmer","product",{"name":22,"type":20},"Magento",{"name":24,"type":25},"Mirasvit","vendor",{"name":27,"type":25},"Imperva",{"name":29,"type":25},"Sansec",{"name":31,"type":25},"CISA","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[49],{"type":50,"value":51,"context":52},"cve","CVE-2026-45247","Critical PHP object deserialization RCE in Mirasvit Cache Warmer Magento extension, CVSS 9.8"]