CISA Warns: Critical Magento Cache Warmer R Exploited Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical remote code execution vulnerability. Tracked as CVE-2026-45247, this flaw affects the Mirasvit Full Page Cache Warmer extension for Magento.

The flaw, stemming from insecure deserialization of untrusted data, is now being actively exploited in real-world attacks, raising concerns across eCommerce environments that rely on Magento platforms.

According to CISA, the vulnerability exists in how the extension processes serialized PHP objects received through the CacheWarmer cookie.

An unauthenticated attacker can craft a malicious serialized payload and send it via this cookie, triggering unsafe deserialization on the server.

This behavior allows arbitrary code execution without requiring valid credentials, making it particularly dangerous for internet-facing Magento stores.

Magento Cache Warmer RCE flaw Exploited

The issue has been classified under CWE-502, which covers deserialization of untrusted data, a well-known class of vulnerabilities frequently abused in web applications.

When exploited, attackers can execute system commands, deploy backdoors, or pivot deeper into the hosting environment. Given Magento’s widespread use in enterprise and mid-sized eCommerce deployments, the attack surface is significant.

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, confirming active exploitation.

Federal agencies and organizations are required to remediate the issue by June 6, 2026, under Binding Operational Directive (BOD) 22-01.

While there is currently no public confirmation linking this flaw to ransomware campaigns, the nature of the vulnerability makes it highly attractive for initial access brokers and financially motivated threat actors.

Security researchers note that exploitation attempts may include suspicious HTTP requests containing a manipulated “CacheWarmer” cookie with encoded PHP object payloads.

Indicators of compromise may involve unexpected web server processes, unauthorized file creation within Magento directories, or outbound connections to unknown IP addresses following exploitation.

Logs may reveal abnormal cookie values or repeated requests targeting cache warming endpoints. Organizations using the Mirasvit Full Page Cache Warmer extension are strongly advised to apply vendor-provided patches or mitigations immediately.

If no fix is available, CISA recommends disabling or removing the affected component entirely to eliminate exposure.

Additional defensive measures include implementing web application firewall rules to inspect and block malicious serialized input, monitoring application logs for anomalies, and restricting access to sensitive endpoints.

This incident highlights the continued risk posed by insecure deserialization flaws in modern web applications. As attackers increasingly automate the exploitation of newly disclosed vulnerabilities, timely patching and proactive monitoring remain critical to defending production environments.

Magento administrators, in particular, should review third-party extensions regularly to ensure they meet secure coding standards and do not introduce hidden attack vectors into otherwise hardened systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.