Close Menu
Most Read

CISA Adds Exploited Magento RCE Flaw to KEV Catalog

Staff WriterBy No Comments2 Mins Read2 Views

Summary Points

  1. Attackers are actively exploiting a critical deserialization vulnerability (CVE-2026-45247) in Mirasvit Cache Warmer, enabling remote code execution via crafted PHP objects in cookies without authentication.
  2. The vulnerability allows injection of malicious serialized PHP payloads through CacheWarmer cookies, which can trigger functions like system() and current() to control affected servers.
  3. Over 6,000 Magento stores are at risk, with recent attacks targeting gaming and business sites primarily in the U.S., U.K., France, and Australia, aiming to identify vulnerable environments for remote code execution.

Threat Overview, Attack Techniques, and Targets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw to its KEV catalog. This flaw affects the Mirasvit Cache Warmer extension used in Magento e-commerce sites. The vulnerability is called CVE-2026-45247 and has a high severity score of 9.8. Attackers exploit this flaw by sending malicious serialized PHP objects through the CacheWarmer cookie. They can then run arbitrary PHP code on the affected server. This flaw impacts all versions of the extension before version 1.11.12. Recent reports show active exploitation of this vulnerability in the wild. The attackers mainly target gaming and business websites. They come from different countries, including the U.S., the U.K., France, and Australia. The goal of attackers is to identify vulnerable Magento systems and confirm if they can execute remote code.

Impact, Security Implications, and Remediation Guidance

If exploited, this vulnerability allows attackers to run any code they want on the affected server. This can lead to data theft, website control loss, or malicious activities on the server. The security risk is very high because attackers do not need any login or administrator rights to exploit it. To fix the problem, patches were released on May 25, 2026. Website owners should update to version 1.11.12 or later of the extension immediately. For detection, administrators should check for requests with a CacheWarmer cookie containing a base64 string that starts with Tz, Qz, or YT. If you suspect exploitation, seek guidance from the vendor or security authorities for detailed steps and further assistance.

Expand Your Tech Knowledge

Learn how the Internet of Things (IoT) is transforming everyday life.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.