Critical RCE in Magento Mirasvit Cache Warmer Extension (CVE‑2026‑45247) Threatens E‑Commerce Supply Chain
What It Is — A critical remote‑code‑execution (RCE) flaw (CVE‑2026‑45247) exists in the Mirasvit Cache Warmer extension for Magento. The vulnerability stems from insecure deserialization of attacker‑controlled data, allowing unauthenticated code execution on the host web server.
Exploitability — Actively exploited in the wild; proof‑of‑concept exploits have been observed on public forums. CVSS v3.1 base score 9.8 (Critical).
Affected Products — Magento Open Source & Adobe Commerce platforms that have the Mirasvit Cache Warmer extension installed (versions 2.0.0‑2.5.3).
TPRM Impact — The flaw widens the attack surface of any third‑party e‑commerce site that relies on this popular caching extension, creating a supply‑chain risk for retailers, payment processors, and any downstream services that ingest customer data from compromised storefronts.
Recommended Actions —
- Immediately apply the vendor‑released patch (Mirasvit Cache Warmer 2.5.4 or later).
- Conduct an inventory of all Magento installations and verify extension versions.
- Deploy web‑application firewall (WAF) rules to block malicious serialized payloads.
- Perform a focused security scan for indicators of compromise on affected sites.
- Review third‑party risk contracts to ensure vendors maintain timely patch cycles.
Source: The Hacker News