CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3 after Imperva reported in-the-wild attacks. It’s a CVSS 9.8 unauthenticated remote code execution flaw in Mirasvit Full Page Cache Warmer, a caching extension for Magento 2 and Adobe Commerce. A single crafted cookie on an ordinary storefront request is enough to run arbitrary commands on the server. Federal civilian agencies have until June 6 to patch. If you run Magento, this is a tonight problem.

What happened

Dutch e-commerce security firm Sansec disclosed the bug on May 26. Mirasvit had shipped a fix in version 1.11.12 a day earlier, on May 25. CISA’s KEV addition on June 3 followed Imperva’s threat research team observing active exploitation attempts, and The Hacker News confirmed the federal remediation deadline of June 6, 2026.

The extension reads a client-supplied CacheWarmer cookie and passes the attacker-controlled value straight into PHP’s native unserialize() without restricting which classes can be instantiated. That’s textbook deserialization of untrusted data (CWE-502). Because the cookie is honored on normal storefront requests, exploitation requires no authentication, no admin account, and no special configuration — the value comes straight from the client, so the attacker controls every object PHP reconstructs.

On its own, object injection is only a primitive. The escalation comes from gadget chains already present in Magento and its dependencies. Imperva observed payloads abusing classes from the widely bundled Monolog logging library — SyslogUdpHandler, BufferHandler, FingersCrossedHandler, and GroupHandler — chained to invoke system() and current() and execute shell commands. One crafted cookie is the whole exploit.

Who’s affected

Every version of Mirasvit Full Page Cache Warmer prior to 1.11.12, on both Magento 2 and Adobe Commerce. Sansec counted roughly 6,000 stores running Mirasvit extensions, and the real figure is almost certainly higher — Cloudflare and other CDNs mask the install fingerprint. Worse, Cache Warmer can ship bundled inside other Mirasvit packages, so you may be exposed without ever having installed it directly. Inventory by module, not by memory.

Active exploitation

Imperva’s telemetry shows early-stage, validate-then-weaponize activity. Attackers are sending base64-encoded serialized objects and running throwaway test commands to confirm code execution before deploying real tooling — payloads like echo PWNED_CVE2026_$(date +%s) and sleep 5. So far the targeting skews toward gaming and business sites, with the United States, United Kingdom, France, and Australia hit hardest. Attribution is unknown; the current goal appears to be mapping which stores are vulnerable and confirming RCE works, which means the noisy reconnaissance phase is your window to patch before the webshells land.

What to do right now

Update Mirasvit Full Page Cache Warmer to 1.11.12 or later immediately, and audit every installed Mirasvit module and its version — remember it may be transitively bundled. Then hunt your logs: look for storefront requests carrying a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string. Sansec notes that serialized PHP objects base64-encode to values beginning with Tz, Qz, or YT, so a cookie matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.

If you find hits, assume compromise and sweep for webshells, unexpected file modifications, unfamiliar cron or scheduled tasks, and outbound connections from PHP-FPM. A WAF rule blocking serialized-object payloads in the CacheWarmer cookie is a reasonable stopgap while you patch, but it is not a substitute for the update. Federal civilian agencies are bound by BOD 22-01 to remediate by June 6.

The pattern here is familiar: unauthenticated deserialization RCE in a widely deployed e-commerce component, public PoC-grade detail, and exploitation within days of disclosure. The barrier to entry is a single cookie. Treat it accordingly.