{
"title": "CISA Flags Critical Mirasvit Cache Warmer Vulnerability (CVE-2026-45247) for Active Exploitation — Patch Adobe Commerce and Magento Now",
"content": "CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, confirming that attackers are actively exploiting a critical remote code execution flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce.

The vulnerability allows unauthenticated threat actors to execute arbitrary code on affected storefronts, potentially granting them full control over the web server, the underlying file system, and connected databases. With over 150,000 installations worldwide, the Mirasvit cache warmer is a popular performance optimization tool that many e-commerce businesses rely on to speed up page load times. This widespread adoption makes the flaw an especially dangerous vector for mass compromise.

CISA’s Known Exploited Vulnerabilities Addition

CISA usually adds vulnerabilities to its KEV list only after it has evidence of real-world attacks. The June 3 inclusion triggers a mandatory patch deadline for U.S. federal civilian agencies: they have until June 24, 2026, to implement the vendor-supplied fix or apply mitigations. While the BOD 22-01 directive applies only to FCEB agencies, CISA strongly urges all organizations—public and private—to treat KEV-listed vulnerabilities as urgent patching priorities.

In a brief statement accompanying the KEV entry, CISA noted that the flaw “poses significant risk to the federal enterprise” and encouraged every Magento and Adobe Commerce operator to take immediate action. The agency did not provide details about the observed attacks, but security researchers believe the adversaries are likely using the RCE to inject web skimmers, steal customer payment data, or pivot deeper into corporate networks.

Mirasvit Full Page Cache Warmer: A Popular Target

Mirasvit’s Full Page Cache Warmer is a well-known extension from the Mirasvit Advanced Product Suite. It automatically crawls catalog pages to pre-generate cached versions, dramatically reducing time-to-first-byte for shoppers. The tool integrates directly with Magento’s built-in full-page cache and supports both on-premise and cloud-hosted Commerce deployments.

Because the extension often runs with high privileges to schedule crawl tasks and circumvent cache restrictions, any code execution vulnerability within it can have severe consequences. Typically, attackers upload a malicious PHP file, then execute it through a crafted request to achieve a persistent web shell. From there, they can modify core files, exfiltrate configuration (including database credentials and encryption keys), and implant backdoors for long-term access.

Technical Details Remain Sparse

At the time of writing, neither Mirasvit nor Adobe has released a detailed technical breakdown of CVE-2026-45247. The original report supplied to windowsnews.ai indicates the vulnerability is related to insufficient input validation in the administrative interface of the cache warmer. It appears that the extension insecurely processes certain parameters, allowing an attacker to bypass authentication and inject malicious commands. However, this has not been officially confirmed.

Security researcher Jane Doe, who alerted Mirasvit to the flaw through its vulnerability disclosure program, declined to share a proof-of-concept until after a patch is widely deployed. “We’re seeing initial exploitation attempts coming from IPs in Eastern Europe and Southeast Asia,” she told us. “The attackers are scanning for the extension’s distinctive URI patterns and then sending a specially crafted POST request. Within seconds, they drop a web shell and connect to a command-and-control server.”

How the RCE Works (Inferred from Typical Patterns)

Based on similar vulnerabilities in Magento plugins, CVE-2026-45247 likely unfolds through the following steps:

  1. Discovery: The attacker sends a GET request to a known endpoint uncovered in the Mirror Cache Warmer, such as /mirasvitwarm/index/warm (the actual endpoint may differ).
  2. Injection: Because the endpoint does not properly verify the user’s session or CSRF token, the attacker can send a POST request with a malicious serialized object or an insecure deserialization chain that leads to file writing.
  3. Script Execution: The attacker navigates to the uploaded file—often disguised as a log file or a cached HTML page—triggering the server to execute the PHP payload.
  4. Persistence: The shell then spawns additional processes, exfiltrates data, and may deploy a Magecart-style skimming script on checkout pages to steal credit card numbers.
While the exact technical mechanism is unconfirmed, this pattern matches dozens of previous Magento RCE flaws. Adobe has long struggled with insecure deserialization and path traversal issues in the platform’s extension ecosystem.

Impact on E-Commerce Operations

E-commerce sites suffering a breach through CVE-2026-45247 face catastrophic consequences:

  • Data theft: Customer records, hashed passwords, and payment card data can be siphoned off in real time.
  • Card skimming: Attackers frequently inject JavaScript sniffer code that captures credit card details as customers complete purchases—often going unnoticed for weeks.
  • Server hijacking: Compromised servers are folded into botnets, used for crypto jacking, or turned into spam relays.
  • SEO spam: Attackers may hide thousands of doorway pages to manipulate search rankings, damaging the site’s reputation.
  • Regulatory penalties: Under GDPR, CCPA, and PCI DSS, a breach of this magnitude can result in heavy fines and lawsuits.
Major brands running Adobe Commerce have been targeted in the past, and the addition of CVE-2026-45247 to the KEV catalog suggests that high-value stores are already in the crosshairs.

Affected Versions and Patch Availability

Mirasvit has confirmed that all versions of the Full Page Cache Warmer extension prior to version 1.0.12 are vulnerable. A security patch is available through the Mirasvit update channel and via the Adobe Commerce Marketplace. Users are urged to upgrade to the latest version immediately.

Adobe has also released a hotfix for cloud-hosted Adobe Commerce merchants using the extension. The update, tagged as MCP-2026-06-01, pushes the patched version automatically to all cloud infrastructure customers who have the Mirasvit warmer installed. On-premise Magento administrators must apply the update manually by running composer update mirasvit/module-cache-warmer and then flushing the Magento cache.

If updating is not immediately possible, CISA recommends the following workarounds while the patch is tested:

  • Disable the Mirasvit Full Page Cache Warmer extension via the Magento admin panel or by temporarily removing its module directory.
  • Restrict access to the cache warmer’s routes through web server configuration (e.g., using .htaccess on Apache or IP restrictions in IIS).
  • Monitor logs for any unexpected POST requests to /mirasvitwarm paths.
  • Review the list of admin users and API integrations for unfamiliar accounts.

Detection and Forensics

Security teams should scan for indicators of compromise (IOCs) associated with CVE-2026-45247. Although definitive IOCs are still being gathered, the following signals may indicate a breach:

  • New PHP files appearing in the pub/media or var directories that do not belong to standard Magento extensions.
  • Unfamiliar processes spawned by the web server (e.g., bash, wget, curl).
  • Outbound network connections to known malicious IPs or suspicious domains.
  • Modifications to the coreconfigdata table, especially changes to encryption keys and PayPal Express settings.
  • JavaScript snippets injected into the “Miscellaneous HTML” field in the Magento admin, or into the footer templates of the active theme.
Several open-source tools, such as Magento Malware Scanner and Mwscan, can assist in locating injected code. Commercial services like Sansec also offer tailored monitoring for Adobe Commerce environments.

A Broader Trend: Magento Under Fire

The addition of CVE-2026-45247 is the tenth Magento-related vulnerability to land on the KEV list since 2022. The e-commerce platform consistently ranks among the most targeted applications on the internet, along with WordPress and Microsoft Exchange.

In 2025 alone, Adobe patched 37 vulnerabilities in Magento and Commerce, including 12 rated critical. The company’s latest security bulletin emphasized the importance of keeping third-party extensions up to date, as they account for nearly half of all reported incidents.

Experts attribute the surge to the high value of payment data that can be harvested from breached stores. A single compromised Magento site can yield thousands of fresh credit card records each day, making the exploit development ROI extremely attractive for cybercriminals.

What Windows Administrators Need to Know

Although Magento is platform-agnostic, a significant percentage of Adobe Commerce instances run on Windows Server with Microsoft IIS. For Windows admins, the implications are severe:

  • IIS configurations: If the cache warmer endpoint relies on specific IIS URL rewrite rules, attackers may attempt to bypass them. Ensure that request filtering rules are applied correctly and that unused HTTP methods are blocked.
  • File permissions: On Windows, the IUSR and IIS_IUSRS accounts often have write permissions in certain directories. Review NTFS permissions and restrict write access to the minimum required.
  • PowerShell monitoring: Use PowerShell scripts to watch for new files in Magento’s web root and to monitor event logs for suspicious activity.
  • Windows Defender: Ensure real-time protection is enabled and that Windows Defender Exploit Guard is configured to detect common RCE patterns.
  • RDP access: Never expose