Executive Summary
CVE-2026-45247 is a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. Public reporting says the bug can let unauthenticated attackers send a crafted CacheWarmer cookie that reaches PHP deserialization and can lead to remote code execution on exposed storefronts. The issue is more urgent because CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 3, 2026, confirming active exploitation concerns rather than a purely theoretical bug.
For defenders, this is a high-priority edge application problem. The weakness sits in a public-facing e-commerce path, requires no login, and affects a plugin that some stores may inherit through broader Mirasvit packages. If attackers land code execution on a Magento host, the follow-on exploit path can include webshell deployment, payment-page tampering, customer-data exposure, and deeper compromise of adjacent systems.
What happened
Sansec disclosed the flaw on May 26, 2026 after reporting it privately to Mirasvit. According to the advisory, vulnerable versions of Cache Warmer process attacker-controlled serialized data from the CacheWarmer cookie. With a suitable gadget chain, that input can be converted into code execution on the server.
The public timeline is short and important:
- April 24, 2026: Sansec discovered the vulnerability and deployed a protective Shield rule
- May 21, 2026: Mirasvit was notified
- May 25, 2026: Mirasvit released a patched version,
1.11.12 - May 26, 2026: CVE-2026-45247 was assigned and publicly disclosed
- June 3, 2026: CISA added the issue to the KEV catalog
That sequence matters because it means patch details and exploit logic have likely become easier for attackers to study. Once a deserialization flaw in a public storefront component is understood, scanning and mass exploitation can scale quickly.
Why this matters for Magento and Adobe Commerce teams
1. The attack lands through normal storefront traffic
This is not an admin-only weakness. The reported attack vector uses a cookie on storefront requests, so exposed web nodes, WAF policies, and application logging all become part of the detection and containment story.
2. Some merchants may not realize the component is installed
Sansec noted that Cache Warmer is bundled with several Mirasvit packages. That increases the chance of hidden exposure, especially in stores with older extension bundles, inherited agency builds, or weak software inventory discipline.
3. Commerce compromises rarely stop at one host
If an attacker reaches code execution on the app tier, the next steps often target skimmers, admin credential theft, cron persistence, or staging points for broader lateral movement. This is where segmentation, hardened admin access, and strong incident response discipline matter more than a simple patch-only mindset.
Affected versions and fix
NVD describes the flaw as affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. Mirasvit's own changelog confirms the fixed branch was released on May 25, 2026. Any merchant or service provider running an earlier build should treat the store as potentially exposed until verified otherwise.
Because some teams manage multiple storefronts and packaged extension sets, it is worth checking all production, staging, and disaster-recovery environments instead of validating only the main revenue site.
Immediate actions to take
Patch to 1.11.12 or later
Upgrade the Cache Warmer extension immediately. If the plugin is included through a broader package, verify the exact installed module version instead of assuming the meta-package resolved it correctly.
Hunt for suspicious CacheWarmer cookie activity
Sansec highlighted a useful detection clue: malicious requests may include a CacheWarmer: prefix followed by a base64-encoded serialized payload. Review reverse-proxy, CDN, WAF, and origin logs for abnormal cookie values, especially ones beginning with patterns associated with serialized PHP objects.
Look for post-exploitation changes
Check for unexpected PHP files in web-accessible directories, suspicious cron entries, unusual outbound connections, modified payment templates, or admin-side persistence. Remote code execution on a commerce node should trigger full compromise assessment, not just a patch-and-move-on workflow.
Tighten administrative exposure and east-west access
Limit admin panels, SSH, database access, and internal services reachable from the application tier. Strong network segmentation and strict access control reduce how far a storefront compromise can spread.
Validate third-party monitoring and integrity controls
If the environment already uses file-integrity monitoring, CSP reporting, payment-page monitoring, or external store scanners, review recent alerts around the disclosure window. For Magento teams, the real damage often shows up after initial access, not during it.
Detection ideas for security teams
Start with three questions:
- Was the vulnerable extension present anywhere in production or staging?
- Did any edge logs capture suspicious
CacheWarmercookie values before patching? - Is there any evidence of follow-on payloads, file writes, or credential abuse after web requests touching the affected plugin?
A lightweight hunt can combine WAF logs, origin logs, EDR telemetry, and file-integrity events for the same host group. Teams should also compare timestamps around the public disclosure date and the June 3, 2026 KEV addition, because those moments often drive opportunistic scanning spikes.
Strategic takeaway
CVE-2026-45247 is the kind of bug that turns a performance-oriented extension into an emergency attack surface. The lesson is not only "patch faster." It is also that e-commerce stacks need tighter component inventory, better extension governance, and clearer incident playbooks for third-party modules running on internet-facing revenue systems.
When a public storefront plugin moves into KEV territory, the right response is to treat it like an active intrusion risk: patch, hunt, validate integrity, and assume the attacker may try to persist beyond the original request path.
