Magento Cache Extension RCE Added to CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited
What Happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247, a critical remote code execution vulnerability in the Mirasvit Cache Warmer for Magento, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects a widely used Magento full-page cache extension actively exploited in the wild. CISA’s move compels federal civilian agencies to remediate the vulnerability by a specific deadline, but the warning extends to all organizations using the extension.
Why It Matters
This is not an obscure plugin issue; Mirasvit Cache Warmer is one of the most popular performance extensions for Adobe Commerce (Magento) stores. An RCE in this component grants attackers direct access to the web server, bypassing many Magento-level security controls. For e-commerce platforms handling payment data, customer PII, and checkout workflows, a full server compromise can lead to data theft, site defacement, or lateral movement into the broader corporate network. The confirmed active exploitation means threat actors are already weaponizing this vulnerability.
Technical Details
CVE-2026-45247 resides in the Mirasvit Cache Warmer extension’s API endpoint processing cache warming requests. The vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP code through improperly sanitized input parameters in the extension’s HTTP-based warming mechanism. Exploitation does not require prior authentication or Magento admin credentials, lowering the barrier to attack.
Affected versions include Mirasvit Cache Warmer versions prior to the patched release that addressed the input validation flaw. The extension is installed via Composer, and affected installations typically involve Magento 2.x deployments. Indicators of compromise (IOCs) may include unexpected cache warming API calls from external IPs, unexplained PHP file creation in web-accessible directories, or outbound connections to command-and-control servers. View full IOCs in the advisory page.
Immediate Risk
The risk is critical for any Magento store running the unpatched extension. Given that Magento is a primary target for e-commerce breaches, and this vulnerability requires no authentication, exploitation can occur within minutes of an attacker identifying a vulnerable instance. CISA’s KEV inclusion signals active, ongoing attacks. Organizations have limited time before the vulnerability is incorporated into mass-scanning tools and ransomware affiliate playbooks.
Security Insight
The most overlooked aspect here is that many Magento stores run extensions that are not directly updated through the core Magento update mechanism. Mirasvit Cache Warmer, like many third-party extensions, is managed separately via Composer - an area often neglected in patch management workflows. Security teams should audit their Composer.lock files for third-party extensions and establish separate monitoring for extension-level CVEs, not just core platform updates. A proactive extension vulnerability scan today could reveal additional unpatched components beyond this RCE.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, ba
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as C
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible