Magento Cache Plugin RCE Under Active Exploit — CISA Sets June 6 Deadline

CISA added a critical Magento plugin vulnerability to its Known Exploited Vulnerabilities catalog on June 3, giving federal agencies until June 6 to patch. The flaw, tracked as CVE-2026-45247, allows unauthenticated attackers to execute arbitrary code on e-commerce servers through a deserialization weakness in the Mirasvit Full Page Cache Warmer extension.

With over 150,000 installations worldwide, the cache warmer is a popular performance optimization tool that many online retailers rely on to speed up page load times. That widespread adoption now makes it an attractive target.

How the Attack Works

The vulnerability exploits a PHP object deserialization flaw in how the extension processes the CacheWarmer cookie. Attackers craft malicious serialized PHP objects and deliver them via HTTP requests—no authentication required.

According to Imperva's analysis, the attack chain works like this:

1. Attacker sends a crafted HTTP request with a malicious CacheWarmer cookie value
2. The server deserializes the untrusted data without validation
3. Combined with gadget chains in Magento dependencies, the deserialization escalates to remote code execution
4. Functions like system() and current() are invoked to execute arbitrary commands

The core issue is that cookie values come straight from the client with no sanitization. As the Hacker News technical writeup explains, "an attacker controls the objects PHP reconstructs," giving them full control over what code runs on the server.

Active Exploitation in the Wild

Imperva has disclosed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads. The campaigns have primarily singled out gaming and business sites, with the U.S., U.K., France, and Australia emerging as the most targeted countries.

Security teams can detect exploitation attempts by monitoring for CacheWarmer cookie values matching the pattern: CacheWarmer:(Tz|Qz|YT) followed by Base64-encoded strings. Serialized PHP objects Base64-encode to values starting with these prefixes.

This vulnerability follows a pattern we've seen repeatedly with Magento and e-commerce platform attacks—attackers target widely deployed plugins because a single exploit gives them access to thousands of stores.

Who's Affected

All versions of the Mirasvit Full Page Cache Warmer extension prior to version 1.11.12 are vulnerable. Mirasvit released patches on May 25, 2026.

The CVSS 9.8 score reflects the severity: network-exploitable, no authentication required, and full system compromise possible. For e-commerce sites processing payment data, the stakes are particularly high—a compromise could lead to a significant data breach exposing customer payment information.

Remediation Steps

1. Update immediately to Mirasvit Full Page Cache Warmer version 1.11.12 or later
2. Audit access logs for suspicious CacheWarmer cookie values matching the Base64 patterns above
3. Implement WAF rules to block serialized PHP object patterns in cookies
4. Review server integrity if you suspect prior compromise—check for webshells or unauthorized admin accounts

Federal Civilian Executive Branch agencies have until June 6, 2026 to apply the fix per CISA's directive. Private sector organizations should treat this with equal urgency given the active exploitation.

Why This Matters

Deserialization vulnerabilities remain one of the most dangerous classes of web application flaws because they often lead directly to RCE without requiring authentication. The OWASP Top 10 has flagged insecure deserialization as a critical risk for years, yet developers continue shipping vulnerable code.

For Magento store operators, this is a reminder that third-party extensions expand your attack surface. A caching plugin shouldn't be able to compromise your entire server, but that's exactly what happens when input validation is missing from security-critical code paths.

If you're running a Magento store, audit your extension inventory. Every plugin you install is code you're trusting to not get you breached.