CISA on June 3 added a single new entry to its Known Exploited Vulnerabilities catalog: CVE-2026-45247, a deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento and Adobe Commerce. The agency cited evidence of active exploitation and gave Federal Civilian Executive Branch agencies the standard three week remediation window required by Binding Operational Directive 22-01. For the broader retail and digital commerce community, the listing is a clear signal that exploitation is no longer theoretical and that opportunistic mass scanning is already underway.
The Mirasvit extension is a popular performance add on used to pre warm full page cache entries on high traffic Magento and Adobe Commerce stores. It hooks into core caching pipelines and runs with the same trust level as the storefront itself. Because it accepts serialized data from cache jobs and handles those payloads inside PHP worker processes, a deserialization flaw in the warmer effectively gives an attacker the ability to instantiate arbitrary PHP objects in the context of the store. In Magento and Adobe Commerce environments, that quickly chains into remote code execution through well known PHP gadget chains, the same primitive that has fueled the Magecart and TrojanOrders campaigns over the last several years.
How the deal breaks down
The risk to retailers is severe and concrete. A successful exploit gives an attacker code execution on the storefront server, which means they can drop a JavaScript skimmer into checkout templates, modify payment routing, scrape customer PII from the database, create persistent admin users, and pivot into back office systems that share network trust with the storefront. Skimmer campaigns of this type typically remain undetected for weeks because the injected JavaScript only fires on the checkout page and exfiltrates card data to attacker controlled domains that often impersonate analytics or tag management providers. By the time fraud teams notice anomalies, hundreds of thousands of card records can already be on criminal markets.
We see three immediate actions for security and platform teams. First, inventory: every store running Adobe Commerce or Magento Open Source needs to confirm whether the Mirasvit Full Page Cache Warmer is installed, including in staging and pre production environments that are often left exposed to the public internet. Second, patch: apply the latest Mirasvit release as soon as the vendor publishes a fixed version, and pin the dependency in composer to prevent regression. Where a patched version is not yet available, the extension should be disabled and the cache warming workflow temporarily handled by Magento core jobs or the platform CDN. Third, hunt: any environment that has been exposed and unpatched should be treated as potentially compromised. Look for unexplained PHP-FPM child processes, new admin accounts in the admin_user table, modified checkout JavaScript files, outbound HTTPS connections to newly registered domains, and signs of webshell drops in pub/media and var/.
Why this matters for the buy side
For organizations that operate cardholder data environments, the PCI DSS implications are immediate. A confirmed compromise of a payment page is a reportable event under both card brand rules and many regional privacy regimes. Under GDPR and the UK Data Protection Act, exposure of customer names, addresses, and payment card numbers triggers a 72 hour notification clock to the relevant supervisory authority, and in many cases direct notification to affected customers. DORA covered financial entities that operate eCommerce channels should also evaluate whether the incident meets their major ICT related incident reporting threshold.
This advisory lands in a week where CISA has been unusually active. On June 2 the agency added a Linux kernel improper authentication flaw and an Android framework integer overflow to KEV, both with evidence of active exploitation in mobile fleets. Also on June 2, CISA together with the FBI, NSA, DOE, EPA, TSA, DOT and USDA issued a joint fact sheet on hardening Automatic Tank Gauge systems against an ongoing intrusion campaign targeting fuel infrastructure. The cumulative pattern matters: federal cyber defenders are signaling that exploit volume across consumer, enterprise, and operational technology stacks is climbing at the same time, which stretches incident response and patch management capacity. Security leaders should plan staffing and on call rotations with that reality in mind for the rest of the quarter.
What tech leaders should do next
For boutique and mid market retailers running on Adobe Commerce, the practical takeaway is to treat KEV additions for Magento ecosystem extensions with the same urgency as a core platform CVE. Extensions sit inside the same trust boundary as the application, and the supply chain risk they carry has historically been underestimated. Teams that operate stores on behalf of brands such as major European retailers and large grocery operators should fold third party Magento extensions into their software bill of materials and run a regular cadence of dependency reviews, including pre production scanning for known vulnerable versions. The next wave of card skimming is almost certainly already running against unpatched targets, and the cost of a confirmed cardholder data compromise far exceeds the cost of a same week extension audit.
