7JUN

Magento RCE forces 9-day patch race

3 min read

10:08UTC

CISA listed CVE-2026-45247, a CVSS 9.8 unauthenticated flaw in Magento's Mirasvit Cache Warmer, on 3 June and gave federal agencies until 6 June, nine days after Adobe's patch. Sansec and Imperva logged live attacks on retail sites in the US, UK, France and Australia.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

An unauthenticated CVSS 9.8 Magento flaw is under active attack, with a federal patch deadline nine days after the fix.

CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalogue on 3 June 2026, setting a 6 June deadline for federal civilian agencies (FCEB). The flaw carries a CVSS (Common Vulnerability Scoring System) score of 9.8 and needs no login, so any unpatched store is reachable from the open internet without credentials.

The bug sits in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce, the open-source PHP e-commerce platform that powers hundreds of thousands of online shops. A crafted serialised object in the CacheWarmer cookie triggers PHP object injection and remote code execution, running attacker code on the server ¹. Sansec and Imperva logged active attacks against gaming and business sites in the United States, the United Kingdom, France and Australia ².

Nine days separated Adobe's 25 May fix from the KEV listing, so defenders had barely a working week before the mandate bit. CISA used the same forcing function in April when it listed a 17-year-old Office remote-code-execution bug as actively exploited , proving the catalogue triggers on exploitation rather than age. The earlier cPanel flaw, by contrast, ran as a zero-day for 65 days before disclosure ; here the squeeze is the short window between patch and enforcement, because thousands of Magento stores still run the vulnerable extension and every one is reachable without a credential.

Deep Analysis

In plain English

Magento is the software that powers hundreds of thousands of online shops, from small boutiques to large retailers. The Mirasvit CacheWarmer is an add-on tool that makes Magento stores load faster by pre-warming the page cache. A flaw discovered in that add-on allows an attacker to take complete control of a Magento store's server without needing a password, just by sending a specially crafted request. CISA, the US government's cyber agency, added the flaw to its urgent-action list on 3 June and gave US government agencies until 6 June to fix it. Security firms spotted active attacks in the US, UK, France and Australia, meaning criminals were already exploiting the hole while most shop owners were still unaware.

Deep Analysis

Root Causes

Magento's extension ecosystem lacks a mandatory security-review gate before publication; the Marketplace review process checks for code quality and compatibility, not for exploitable PHP deserialisation or object injection patterns. Mirasvit's CacheWarmer module processes user-supplied cookie data through PHP's unserialise() pathway without type-checking, a class of flaw the OWASP Top 10 A08 (Software and Data Integrity Failures) has identified since 2017.

The nine-day patch-to-exploitation window also reflects the Exploit Prediction Scoring System (EPSS) dynamic: a CVSS 9.8 unauthenticated RCE in a widely deployed caching extension generates automated proof-of-concept scripts within 72 hours of public disclosure, compressing the EPSS-predicted 85th-percentile exploitation window from approximately 30 days to under a week for high-visibility targets.

What could happen next?

Risk
Magento stores running the unpatched Mirasvit CacheWarmer extension remain exposed to complete server compromise enabling card-data exfiltration and persistent backdoor installation.
Immediate · Assessed
Precedent
CISA's nine-day patch-to-federal-mandate window for a third-party extension CVE sets a new enforcement benchmark that may extend to private-sector critical e-commerce infrastructure under future regulation.
Medium term · Suggested
Consequence
Extension vendors in the Magento ecosystem face commercial pressure to accelerate security review cycles; those unable to do so may face delisting from the Adobe Marketplace under tightened vetting triggered by incidents like CVE-2026-45247.
Short term · Suggested

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2018 British Airways breach, in which a malicious Modernizr script injected via the Feedify third-party analytics extension skimmed 500,000 payment cards over 15 days, followed the same structural path: a trusted extension vendor becomes the attack vector against a payment-handling platform, and the platform operator is unaware until forensic review. The Mirasvit CacheWarmer flaw enables the same insertion point via PHP object injection rather than JavaScript skimming.

Counter-parallel: The 2022 Magecart Group 8 campaign against Segway's Magento store ran for five weeks before detection despite a public patch being available. The nine-day CISA mandate in CVE-2026-45247 compresses that window dramatically, but only for FCEB agencies; private e-commerce operators who constitute the vast majority of the exposed population face no binding timeline.

Magento and Adobe Commerce collectively host an estimated 250,000 active storefronts globally. A successful RCE on a payment-processing store allows attackers to install JavaScript skimmers, pivot to hosted payment page environments, or exfiltrate PCI-DSS-scoped cardholder data.

PCI DSS v4.0 (mandatory from March 2025) requires payment page script-integrity monitoring; stores without that control face both card-brand fines and potential liability for fraudulent charges routed through compromised checkout flows.

For UK merchants specifically, ICO enforcement precedent from the British Airways £20 million fine (2020) and the Ticketmaster £1.25 million fine (2024, also a Magecart supply-chain attack) establishes that extension-origin compromises do not reduce GDPR Article 32 liability. A Magento store operating in the UK or EU with an unpatched CacheWarmer extension faces the same fine exposure as if the breach vector were a first-party platform flaw.

Consensus view: The SANS Internet Storm Center and Sansec both document a structural pattern where Magento third-party extension vendors ship security fixes weeks after the parent platform patch cycle closes, leaving store operators in a gap between Adobe's update rhythm and extension maintainers' own cadences. CVE-2026-45247 cleared that gap in nine days rather than the typical 45-90 day window observed in prior Magento supply-chain events.

Counter-view: The Korea Internet & Security Agency (KISA) argued in its 2025 e-commerce threat review that mandatory extension-vendor security audits, as proposed under the EU Cyber Resilience Act (CRA), would fragment the Magento marketplace faster than the vulnerability exposure itself; smaller vendors would exit rather than carry audit overhead, concentrating risk in a shrinking approved pool.

Key tension: Whether CISA's Binding Operational Directive 22-01 patch-window model, calibrated for first-party vendor patches, can be applied meaningfully to third-party extension flaws where the remediating party is not the platform owner.

Sources:CISA·The Hacker News

Mentions:CVE-2026-45247 →CISA →Known Exploited Vulnerabilities →CVE-2023-50224 →Mirasvit →Adobe Inc. →Drupal →Sansec →Imperva →FCEB →United Kingdom →Cyber Resilience Act →Australia →Common Vulnerability Scoring System →France →United States →Magento →

First Reported In

Update #6 · The 2024 patch that is breaking now

CISA· 7 Jun 2026

Read original →

Causes and effects

Caused by

GRU hijacks home routers for M365 logins

The 17-year-old Office RCE listed by CISA in April (ID:2547) established the pattern of legacy CVEs entering active exploitation long after patching; the Magento KEV addition nine days after Adobe's patch follows the same patch-lag dynamic.

Occurred 7 Apr 2026

Read story →

cPanel zero-day ran 65 days before patch; Sorry ransomware active

The cPanel zero-day ran for 65 days before disclosure (ID:3125); the Magento flaw compresses the risk window to nine days between patch and federal mandate, making the squeeze the short patch-to-enforcement gap rather than a disclosure lag.

Occurred 30 Apr 2026

Read story →

This Event

Magento RCE forces 9-day patch race

A no-login remote-code-execution flaw in a common Magento extension leaves any unpatched store reachable from the open internet, with a federal patch mandate landing barely a week after the fix.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.