If your small business runs an online store on Magento or Adobe Commerce, you need to check one specific extension this week. A critical vulnerability in the Mirasvit Full Page Cache Warmer plugin (CVE-2026-45247) lets attackers take over the server with a single crafted cookie — no password, no admin account, no clicks required. CISA added it to the Known Exploited Vulnerabilities list on June 3 with a federal patch deadline of today, June 6, and security firms are already seeing live attacks in the wild.
What happened
Sansec, a Dutch e-commerce security firm, discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted CacheWarmer cookie reaches PHP's native unserialize() on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this leads to remote code execution. The flaw is tracked as CVE-2026-45247, rated 9.8 (critical). Mirasvit released a patched version (1.11.12) on May 25, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. Federal Civilian Executive Branch agencies have been ordered to apply the fixes by June 6, 2026.
Thales-owned Imperva has disclosed it has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. Observed payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution. The payloads attempt to invoke functions such as system() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands designed to validate successful code execution. The activity has primarily singled out gaming and business sites, with the U.S., the U.K., France, and Australia emerging as the most targeted countries.
Why a small business should care
If you sell anything online through Magento or Adobe Commerce — even if a developer built it years ago and you barely touch it — this affects you. All Mirasvit Cache Warmer versions before 1.11.12 are vulnerable. The extension is bundled with several Mirasvit packages, so many merchants run it without having installed it directly. Sansec scans found roughly 6,000 stores running Mirasvit extensions. Real numbers are likely higher, since content delivery networks such as Cloudflare hide many installs from fingerprinting.
In plain English: you may have this plugin installed and not know it. And the risk is higher because Magento storefronts are usually internet-facing by design. Attackers do not need internal access if the vulnerable extension is reachable from public storefront pages. That makes this vulnerability attractive for broad scanning, automated exploitation attempts, and targeted attacks against high-value e-commerce sites.
What happens after a successful break-in is the part that should keep store owners up at night. Remote code execution on a production e-commerce server means an attacker has a foothold in an environment that typically holds payment credentials, API keys, database access and customer data. What happens next depends entirely on how well that environment is locked down. Card-skimming malware, customer data theft, and webshells dropped for resale are the standard follow-ups.
What your managed-IT provider should be doing about this
If you outsource IT, your provider's checklist this week should look like this:
1. Inventory. Identify whether you run Magento or Adobe Commerce at all, and whether any Mirasvit module is installed — including ones bundled inside other Mirasvit packages. Confirm whether Cache Warmer is bundled inside other Mirasvit modules on your store.
2. Patch. Update Mirasvit Cache Warmer installations to version 1.11.12 or newer, which contain patches for the exploited flaw. If you can't patch immediately, a web application firewall rule blocking the malicious cookie pattern is the stopgap.
3. Hunt for compromise. The attack leaves a clear request signature. Look for storefront requests that carry a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string. Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt. Web server logs from late April onward should be reviewed.
4. Assume breach if logs are missing. Immediately after patching, scan for indicators of compromise such as unexpected PHP files in web-accessible directories like pub/. New admin accounts, modified cron jobs, and unexpected outbound connections all deserve a look.
5. Lock down the environment generally. Least-privilege access, rotated API keys, and segmented database credentials limit what an attacker can do even if they get in. This is exactly the kind of ongoing hardening that York Computer's managed IT services are built around — patching, monitoring, and incident response handled before a critical CVE shows up on a Saturday morning.
What York Businesses Should Do
York County retailers and B2B shops running Magento or Adobe Commerce — especially anyone who inherited a store from a previous developer — should check their plugin list this week, not next. If you don't know who patches your e-commerce server, that is the problem to solve first.
Sources
- CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog — The Hacker News
- Critical vulnerability in Mirasvit Cache Warmer for Magento — Sansec
- Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento
- Mirasvit Vulnerability Exploited to Execute Code on Magento Servers — SecurityWeek
- 9.8 Mirasvit bug actively exploited on Magento servers — SC Media
- Magento CVE-2026-45247 Added to CISA KEV — Vulert