CRITICAL: Active Exploitation Hits Magento Stores via Mirasvit Cache Warmer Bug (CVE-2026-45247)

The Cybersecurity and Infrastructure Security Agency added another remote code execution flaw to its Known Exploited Vulnerabilities catalog this week, and the timing is brutal for anyone still running unpatched Magento storefronts. CVE-2026-45247, a PHP object deserialization bug in the Mirasvit Full Page Cache Warmer extension, is being actively exploited against gaming and business sites across the United States, United Kingdom, France, and Australia. CISA gave federal agencies until June 6 to patch. Everybody else should treat that deadline as last week.

The bug carries a CVSS score of 9.8, which is the polite numeric way of saying drop everything and patch this now. Mirasvit Full Page Cache Warmer is a popular performance extension for Adobe Commerce and Magento Open Source. It pre-warms cache entries to keep storefront response times fast, and like a depressingly long list of caching tools before it, it does some clever things with cookies. The specific cookie at the heart of this disaster is named CacheWarmer, and until version 1.11.12 the extension cheerfully passed whatever the client supplied into PHP's native unserialize function without restricting which classes could be instantiated. That is the textbook recipe for PHP Object Injection, classified under CWE-502, and it has been a known foot-gun for at least a decade. Mirasvit shipped the fix on May 25, the Sansec research team disclosed the details on May 26, and exploitation followed within days.

How the Attack Works

The attack chain looks exactly like the kind of thing you would write up in a training module for new pentesters. An unauthenticated attacker crafts a serialized PHP object encoded in base64, drops it into the CacheWarmer cookie, and sends an ordinary HTTP request to the storefront. The extension reads the cookie, hands the bytes to unserialize, and PHP obligingly reconstructs whatever class hierarchy the attacker specified. From there it is a matter of finding a gadget chain whose constructor or destructor invokes a useful function, and the Magento ecosystem ships with plenty of those. Imperva's research team has captured payloads built around the Monolog logging library, specifically the SyslogUdpHandler, BufferHandler, FingersCrossedHandler, and GroupHandler classes. These chains are well documented in PHP exploitation literature and they ride along with most Magento installs by default, which means the attacker does not need to know anything about your custom code to land a shell. They just need to know you have Monolog, which you do.

What makes this particularly ugly is the lack of any prerequisites. No authentication. No admin access. No special configuration. The attacker does not even need to know a valid customer email or product SKU. They simply need to find a storefront that loads the extension, and the extension responds to public traffic by design because warming the cache is its entire purpose. The attack surface is effectively the public internet, and so is the pool of potential victims.

Current Exploitation Activity

The current wave of attacks looks more like reconnaissance than monetization, which is the only part of this story that is even slightly encouraging. Imperva has flagged payloads containing test commands such as echo PWNED_CVE2026 followed by a timestamp, along with sleep five second probes designed to confirm code execution without leaving an obvious payload behind. That pattern fits the playbook of crews that scan first, catalog vulnerable hosts, and then come back to sell the access or deploy skimmers in a second wave. Adobe Commerce sites have been on the receiving end of payment card skimmer campaigns for years, including the broader Magecart ecosystem that Sansec has tracked compromising thousands of stores through earlier flaws. Anyone hoping that a Magento bug will stay quiet is misreading the room.

Geographic targeting so far has clustered around English-speaking and Western European markets. Storefronts in the United States, the United Kingdom, France, and Australia have absorbed the bulk of the scanning, which roughly maps to the regions where Magento has the largest commercial footprint. Gaming merchants and business-to-business catalogs appear to be drawing the most attention, presumably because those verticals tend to process larger average transaction values than general retail and run more complex checkout flows that hide skimmer code more effectively.

Detection and Response

Detection here is mercifully straightforward if you have any kind of access to your web server logs or a WAF that can inspect cookies. Look for incoming requests where the CacheWarmer cookie value starts with the strings Tz, Qz, or YT, which are the base64-encoded prefixes of serialized PHP objects, custom classes, and a typical array marker respectively. Any legitimate CacheWarmer value will be a short hash. If you see hundreds of bytes of base64 in that header, it is not your developer doing maintenance, it is an attacker. Pair that with a grep across your application logs for the literal string PWNED_CVE2026 and you will catch the bulk of the current scanning activity in seconds.

For deeper triage, audit any new PHP files in your var, pub, and app code directories, hunt for unexpected outbound connections from your web tier, and pull a fresh copy of your admin user table to confirm nobody created themselves an account during the window of exposure. Watch for new cron jobs, modifications to the .htaccess or nginx configuration files, and any unfamiliar entries in the deployment cache. Webshells planted through deserialization attacks frequently masquerade as legitimate cache files because that is the directory the web user can already write to, so any file under var or generated that is not part of a Composer-managed package deserves a second look.

Patching is the only real fix. Mirasvit Full Page Cache Warmer version 1.11.12 closes the deserialization hole, and any earlier version is exploitable. Updating a Magento extension is rarely as quick as the vendor implies, especially on customized Adobe Commerce builds, but the alternative is webshell roulette. If you cannot update immediately, the temporary mitigation is to disable the extension entirely, which trades performance for survival and is a trade worth making. A WAF rule blocking CacheWarmer cookies that contain base64-encoded serialized objects will buy time, but treat it as duct tape rather than as a solution. The same is true for any rule that just blocks the literal token PWNED_CVE2026 in cookies, because adversaries will rotate their canary strings within a news cycle.

The Bigger Magento Problem

The broader lesson hiding inside this CVE is the same lesson the Magento ecosystem keeps teaching everyone who runs it. The platform's strength, an enormous third-party extension marketplace that lets merchants bolt on every feature they could ever want, is also its largest unmanaged attack surface. A single performance extension installed by a developer five years ago and forgotten can hand a stranger root-equivalent access to a payments-grade web server. Adobe's security team can ship perfect patches to the core platform every Patch Tuesday and still watch stores get owned through extensions they do not maintain. That structural reality means every Magento operator has to treat their extension inventory as a first-class asset, with version tracking, an upgrade policy, and a kill switch for components that go unmaintained.

It also means that any vulnerability disclosure in a popular extension functions as a free targeting list for criminal crews. The moment Mirasvit and Sansec published the technical details, every Magecart-adjacent group on the planet started scanning for the CacheWarmer cookie pattern. Bug bounty triage and patch deployment now operate on incompatible timelines. Adobe Commerce merchants need to compress that gap with playbooks that can roll an extension update from notification to production in hours, not weeks, and most of them currently cannot.

The MSP Business Angle

For managed service providers, this is the kind of event that practically writes its own pitch deck. Any client running an Adobe Commerce or Magento storefront should be getting a call this week, not a generic newsletter blast. The conversation starts with a five minute scan against the CacheWarmer cookie pattern and ends with a longer discussion about what else is bolted on top of their commerce platform that nobody is patching. There is real money in an offering that combines extension inventory management, monthly third-party patch review, and continuous skimmer detection, and you can price it accordingly because a single payment card breach will cost a mid-market retailer more than a decade of your fees.

Pentesters can use this CVE as the lead in a free external assessment campaign, because if a prospect has the extension installed it will show up in their cookie surface within a single curl command and gives you an undeniable hook for a paid engagement. Darkweb monitoring services should also be flagging any newly listed shells or admin credentials tied to Magento domains over the next few weeks, because the post-exploitation phase is where the data will hit the markets and your clients will want to know before their card processors do.

This will not be the last Magento extension to ship a deserialize foot-gun, and it will not be the last time CISA has to publicly remind federal agencies to patch a CVSS 9.8. Get the inventory, get the patch, watch the logs, and price your services to reflect the actual risk the storefront ecosystem carries. The attackers already have.