The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Magento-related vulnerability, tracked as CVE-2026-45247, to its Known Exploited Vulnerabilities (KEV) Catalog after confirming that it is being actively exploited in real-world attacks. The flaw affects Mirasvit Cache Warmer, a Magento extension used by online stores to improve website performance through full-page caching. Security experts have assigned the vulnerability a CVSS score of 9.8, placing it in the critical severity category. The addition to the KEV Catalog highlights the serious risk the flaw poses to organizations using affected versions of the extension.

According to security researchers, the vulnerability is caused by the insecure handling of serialized data within the extension. Attackers can exploit the weakness by sending a specially crafted CacheWarmer cookie to a vulnerable Magento website. Once the malicious data is processed, it can trigger the execution of unauthorized code on the server. Because of the way the flaw works, attackers can potentially gain control over affected systems remotely.

One of the most dangerous aspects of CVE-2026-45247 is that it does not require authentication. This means attackers do not need administrator credentials, valid user accounts, or any special permissions to launch an attack. As a result, vulnerable websites can be targeted directly from the internet. Security experts warn that flaws requiring no authentication are often among the easiest for threat actors to exploit on a large scale.

Researchers explained that the attack uses a technique known as PHP Object Injection. The malicious CacheWarmer cookie contains serialized PHP objects that are reconstructed by the server through the unserialize() function. Attackers can then combine this behavior with existing Magento components to achieve Remote Code Execution (RCE). Successful exploitation allows arbitrary commands to be executed on the targeted server.

The vulnerability affects all versions of Mirasvit Cache Warmer released before version 1.11.12. To address the issue, the vendor released a security update on May 25, 2026, and urged customers to update immediately. Organizations that continue running older versions remain exposed to potential attacks. Applying the latest security patches is currently the most effective way to protect affected Magento environments.

Researchers from Sansec reported finding approximately 6,000 Magento stores running Mirasvit extensions during their investigation. However, they believe the actual number of affected websites may be significantly higher. Many online stores use content delivery networks and other technologies that make it difficult to identify installed extensions from the outside. This means the overall exposure could be larger than current estimates suggest.

Security company Imperva has already detected active exploitation attempts targeting the vulnerability. Investigators observed attackers sending Base64-encoded serialized PHP payloads through malicious HTTP requests designed to trigger remote code execution. In several cases, attackers first executed simple test commands to verify that the targeted system was vulnerable. This behavior suggests that threat actors are actively scanning the internet for exposed Magento installations.

Current attack data shows that gaming and business-related websites have been among the primary targets of the campaign. The highest number of observed attacks has been linked to organizations in the United States, the United Kingdom, France, and Australia. Although researchers have not publicly identified the attackers behind the activity, CISA has directed federal agencies to apply fixes by June 6, 2026. Security teams are also advised to review logs for suspicious CacheWarmer cookies containing Base64-encoded values, as these may indicate attempted exploitation.