CISA Flags Actively Exploited Magento RCE CVE-2026-45247 — Patch Now

CISA has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation of a critical remote code execution flaw in Mirasvit Cache Warmer, a widely deployed Magento full-page cache extension. KEV additions are CISA's sharpest signal: the agency only lists flaws with confirmed, ongoing exploitation — not theoretical risk.

What Happened

The vulnerability resides in Mirasvit's Cache Warmer extension for Magento 2. Details on the precise attack vector are still sparse in public advisories, but the flaw allows unauthenticated or low-privilege remote attackers to execute arbitrary code on the underlying server. RCE on an e-commerce host means full store compromise: skimmer injection, database exfiltration of payment and PII data, and lateral movement into adjacent infrastructure. CISA's confirmation of active exploitation means threat actors already have working tooling — this is not a proof-of-concept situation.

Why It Matters

Magento stores are a perennial high-value target. Payment card data, customer records, and backend admin access make them attractive for Magecart-style skimming operations and ransomware staging. A full-page cache extension sits in a privileged position in the request pipeline, making Cache Warmer a particularly dangerous attack surface — exploitation can happen without touching the Magento admin panel at all.

For federal civilian agencies, KEV listings carry a mandatory remediation deadline (typically 21 days). For everyone else, the practical deadline is right now: exploitation is confirmed, and the extension's install base is large enough to make automated scanning worthwhile for attackers.

The broader Magento ecosystem has a patch lag problem. Store operators frequently run outdated extension versions, and third-party extension updates don't arrive through Magento's core update channel — they require manual action in the admin or via Composer.

What to Do

Immediately (today):

1. Identify exposure. Check every Magento 2 instance for the Mirasvit Cache Warmer extension: composer show mirasvit/module-cache-warmer from the Magento root, or check vendor/mirasvit/module-cache-warmer on disk.
2. If installed, disable it now. In Magento Admin → Stores → Configuration → Advanced → Advanced, disable the module. Or via CLI: php bin/magento module:disable Mirasvit_CacheWarmer && php bin/magento cache:flush.
3. Apply the patch. Pull the latest release from Mirasvit's repository or via composer update mirasvit/module-cache-warmer. Verify the changelog explicitly references CVE-2026-45247.
4. Audit for compromise. If the extension was exposed prior to patching, treat the host as potentially compromised. Check for injected scripts in layout XML files, modified JS assets, and new admin users. Review access logs for unusual POST requests to cache-warmer endpoints.

Follow-on:

• Apply a WAF rule blocking requests to Cache Warmer endpoints until patched.
• Review all third-party Magento extensions for known CVEs — the Adobe Security Bulletins and Mirasvit's own advisories are the authoritative sources.
• If this is a client environment, notify them immediately; a KEV listing creates liability exposure if remediation is delayed.

Do not wait for a maintenance window on this one.