Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Magento RCE forces 9-day patch race

3 min read
08:46UTC

CISA listed CVE-2026-45247, a CVSS 9.8 unauthenticated flaw in Magento's Mirasvit Cache Warmer, on 3 June and gave federal agencies until 6 June, nine days after Adobe's patch. Sansec and Imperva logged live attacks on retail sites in the US, UK, France and Australia.

TechnologyDeveloping
Key takeaway

An unauthenticated CVSS 9.8 Magento flaw is under active attack, with a federal patch deadline nine days after the fix.

CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalogue on 3 June 2026, setting a 6 June deadline for federal civilian agencies (FCEB). The flaw carries a CVSS (Common Vulnerability Scoring System) score of 9.8 and needs no login, so any unpatched store is reachable from the open internet without credentials.

The bug sits in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce, the open-source PHP e-commerce platform that powers hundreds of thousands of online shops. A crafted serialised object in the CacheWarmer cookie triggers PHP object injection and remote code execution, running attacker code on the server 1. Sansec and Imperva logged active attacks against gaming and business sites in the United States, the United Kingdom, France and Australia 2.

Nine days separated Adobe's 25 May fix from the KEV listing, so defenders had barely a working week before the mandate bit. CISA used the same forcing function in April when it listed a 17-year-old Office remote-code-execution bug as actively exploited , proving the catalogue triggers on exploitation rather than age. The earlier cPanel flaw, by contrast, ran as a zero-day for 65 days before disclosure ; here the squeeze is the short window between patch and enforcement, because thousands of Magento stores still run the vulnerable extension and every one is reachable without a credential.

Deep Analysis

In plain English

Magento is the software that powers hundreds of thousands of online shops, from small boutiques to large retailers. The Mirasvit CacheWarmer is an add-on tool that makes Magento stores load faster by pre-warming the page cache. A flaw discovered in that add-on allows an attacker to take complete control of a Magento store's server without needing a password, just by sending a specially crafted request. CISA, the US government's cyber agency, added the flaw to its urgent-action list on 3 June and gave US government agencies until 6 June to fix it. Security firms spotted active attacks in the US, UK, France and Australia, meaning criminals were already exploiting the hole while most shop owners were still unaware.

Deep Analysis
Root Causes

Magento's extension ecosystem lacks a mandatory security-review gate before publication; the Marketplace review process checks for code quality and compatibility, not for exploitable PHP deserialisation or object injection patterns. Mirasvit's CacheWarmer module processes user-supplied cookie data through PHP's unserialise() pathway without type-checking, a class of flaw the OWASP Top 10 A08 (Software and Data Integrity Failures) has identified since 2017.

The nine-day patch-to-exploitation window also reflects the Exploit Prediction Scoring System (EPSS) dynamic: a CVSS 9.8 unauthenticated RCE in a widely deployed caching extension generates automated proof-of-concept scripts within 72 hours of public disclosure, compressing the EPSS-predicted 85th-percentile exploitation window from approximately 30 days to under a week for high-visibility targets.

What could happen next?
  • Risk

    Magento stores running the unpatched Mirasvit CacheWarmer extension remain exposed to complete server compromise enabling card-data exfiltration and persistent backdoor installation.

    Immediate · Assessed
  • Precedent

    CISA's nine-day patch-to-federal-mandate window for a third-party extension CVE sets a new enforcement benchmark that may extend to private-sector critical e-commerce infrastructure under future regulation.

    Medium term · Suggested
  • Consequence

    Extension vendors in the Magento ecosystem face commercial pressure to accelerate security review cycles; those unable to do so may face delisting from the Adobe Marketplace under tightened vetting triggered by incidents like CVE-2026-45247.

    Short term · Suggested
First Reported In

Update #6 · The 2024 patch that is breaking now

CISA· 7 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.