A 9.8 in the Shopping Cart
CISA does not add vulnerabilities to its Known Exploited Vulnerabilities catalog lightly, and on June 3 it added one that should worry anyone running an online store on Magento or Adobe Commerce. CVE-2026-45247, a deserialization of untrusted data flaw in the popular Mirasvit Full Page Cache Warmer extension, carries a CVSS score of 9.8 and requires no authentication to exploit. In CISA's words, the extension contains a vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
The combination of attributes here is close to a worst case. Maximum severity, no authentication, a third party extension that store owners may have forgotten they installed, and active exploitation in the wild. CISA underscored the urgency by ordering Federal Civilian Executive Branch agencies to apply the fixes by June 6, an unusually tight window that signals how seriously the agency views the threat. For the private sector retailers who make up the bulk of Magento's footprint, the deadline is a strong hint, not a mandate.
How the Exploit Works
The mechanics are a textbook PHP object injection. The CacheWarmer cookie value is deserialized by the extension, and because that value comes straight from the client, an attacker controls the objects PHP reconstructs, as the research firm Sansec explained. By supplying a base64 encoded serialized PHP object, an attacker triggers a gadget chain that ultimately executes arbitrary code on the server. The vulnerability sits in all versions of the extension prior to 1.11.12, with patches released on May 25.
Deserialization flaws are perennial because they exploit a feature, not a mistake in the usual sense. Reconstructing objects from serialized input is exactly what the code is designed to do; the failure is trusting attacker controlled input to do it. That is why these bugs keep surfacing across PHP, Java, and .NET ecosystems, and why a cache warming utility, of all things, became a full remote code execution vector. The lesson for developers is old but unlearned: never deserialize data you do not control without strict allowlisting.
Confirmed Attacks in the Wild
This is not a theoretical risk. Thales owned Imperva disclosed it has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via malicious HTTP requests. The observed payloads contained base64 encoded serialized objects designed to trigger PHP object deserialization and achieve remote code execution through commonly abused gadget chains, with attackers invoking functions like system to run commands directly on compromised hosts.
Imperva's telemetry adds useful targeting detail. The primary targets were gaming and business websites, and the most affected regions were the United States, the United Kingdom, France, and Australia. Roughly 6,000 Magento stores were identified running the Mirasvit extension, which bounds the blast radius but does not shrink it to comfort. For an attacker, a compromised commerce server is a prize: it processes payments, holds customer data, and can be quietly turned into a skimmer that exfiltrates card details for months.
Why E-Commerce Is Such a Rich Target
Magento and Adobe Commerce power a large slice of mid market and enterprise online retail, and that makes them a standing target. A successful remote code execution on a commerce server is not a smash and grab; it is an opportunity for persistent, monetizable access. Attackers can inject card skimming code into checkout pages, harvest customer records, or pivot deeper into the network. The Magecart style attacks of recent years showed how lucrative and durable these compromises can be when defenders are slow to notice.
The structural weakness is the extension ecosystem. Magento's flexibility comes from thousands of third party modules, each with its own code quality, update cadence, and security posture. Store owners install an extension to solve a narrow problem, like cache warming, and then never think about it again. That forgotten code runs with full application privileges, which is precisely how a caching helper became a 9.8. The supply chain risk in commerce is not just the platform; it is everything bolted onto it.
Detection and Response
For defenders, the good news is that exploitation of this flaw leaves a recognizable fingerprint. Site owners should audit for storefront requests carrying a CacheWarmer cookie whose value contains the marker CacheWarmer followed by a base64 encoded string. Because serialized PHP objects base64 encode to values starting with Tz, Qz, or YT, a CacheWarmer cookie value matching that pattern is a strong indicator of an exploitation attempt. That signature makes both detection and retroactive hunting feasible.
The response sequence is the familiar one, executed with urgency. Patch to version 1.11.12 immediately, or remove the extension if it is not essential. Then assume the worst and hunt: review web server and application logs for the cookie signature, look for unexpected outbound connections or new files in writable directories, and rotate any credentials reachable from the compromised host. A 9.8 under active exploitation is not a vulnerability to schedule for the next maintenance window; it is one to treat as a potential active incident until proven otherwise.
The Takeaway for Commerce Teams
The broader message is that the patch deadline is the floor, not the ceiling. CISA's June 6 date applies to federal agencies, but the threat does not respect that boundary, and the retailers most exposed are precisely the ones least likely to be tracking CISA advisories. If your store runs Magento or Adobe Commerce, the practical action is to inventory every installed extension, confirm its version and patch status, and remove anything you cannot account for. Forgotten code is the attack surface here.
We would also push commerce teams to treat extension governance as an ongoing program rather than a one time vetting at install. Subscribe to the security feeds of the extensions you depend on, monitor the KEV catalog, and maintain the ability to patch or disable a module quickly. CVE-2026-45247 will be patched and forgotten within weeks, but the underlying exposure, a sprawling ecosystem of third party code running with full privileges, is permanent. The stores that weather the next one will be the ones that treat their extension list as a live liability.
