14JUN

Magento RCE forces 9-day patch race

3 min read

11:51UTC

CISA listed CVE-2026-45247, a CVSS 9.8 unauthenticated flaw in Magento's Mirasvit Cache Warmer, on 3 June and gave federal agencies until 6 June, nine days after Adobe's patch. Sansec and Imperva logged live attacks on retail sites in the US, UK, France and Australia.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

An unauthenticated CVSS 9.8 Magento flaw is under active attack, with a federal patch deadline nine days after the fix.

CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalogue on 3 June 2026, setting a 6 June deadline for federal civilian agencies (FCEB). The flaw carries a CVSS (Common Vulnerability Scoring System) score of 9.8 and needs no login, so any unpatched store is reachable from the open internet without credentials.

The bug sits in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce, the open-source PHP e-commerce platform that powers hundreds of thousands of online shops. A crafted serialised object in the CacheWarmer cookie triggers PHP object injection and Remote Code Execution, running attacker code on the server ¹. Sansec and Imperva logged active attacks against gaming and business sites in the United States, the United Kingdom, France and Australia ².

Nine days separated Adobe's 25 May fix from the KEV listing, so defenders had barely a working week before the mandate bit. CISA used the same forcing function in April when it listed a 17-year-old Office remote-code-execution bug as actively exploited , proving the catalogue triggers on exploitation rather than age. The earlier cPanel flaw, by contrast, ran as a zero-day for 65 days before disclosure ; here the squeeze is the short window between patch and enforcement, because thousands of Magento stores still run the vulnerable extension and every one is reachable without a credential.

Deep Analysis

In plain English

Magento is the software that powers hundreds of thousands of online shops, from small boutiques to large retailers. The Mirasvit CacheWarmer is an add-on tool that makes Magento stores load faster by pre-warming the page cache. A flaw discovered in that add-on allows an attacker to take complete control of a Magento store's server without needing a password, just by sending a specially crafted request. CISA, the US government's cyber agency, added the flaw to its urgent-action list on 3 June and gave US government agencies until 6 June to fix it. Security firms spotted active attacks in the US, UK, France and Australia, meaning criminals were already exploiting the hole while most shop owners were still unaware.

Deep Analysis

Root Causes

Magento's extension ecosystem lacks a mandatory security-review gate before publication; the Marketplace review process checks for code quality and compatibility, not for exploitable PHP deserialisation or object injection patterns. Mirasvit's CacheWarmer module processes user-supplied cookie data through PHP's unserialise() pathway without type-checking, a class of flaw the OWASP Top 10 A08 (Software and Data Integrity Failures) has identified since 2017.

The nine-day patch-to-exploitation window also reflects the Exploit Prediction Scoring System (EPSS) dynamic: a CVSS 9.8 unauthenticated RCE in a widely deployed caching extension generates automated proof-of-concept scripts within 72 hours of public disclosure, compressing the EPSS-predicted 85th-percentile exploitation window from approximately 30 days to under a week for high-visibility targets.

What could happen next?

Risk
Magento stores running the unpatched Mirasvit CacheWarmer extension remain exposed to complete server compromise enabling card-data exfiltration and persistent backdoor installation.
Immediate · Assessed
Precedent
CISA's nine-day patch-to-federal-mandate window for a third-party extension CVE sets a new enforcement benchmark that may extend to private-sector critical e-commerce infrastructure under future regulation.
Medium term · Suggested
Consequence
Extension vendors in the Magento ecosystem face commercial pressure to accelerate security review cycles; those unable to do so may face delisting from the Adobe Marketplace under tightened vetting triggered by incidents like CVE-2026-45247.
Short term · Suggested

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2018 British Airways breach, in which a malicious Modernizr script injected via the Feedify third-party analytics extension skimmed 500,000 payment cards over 15 days, followed the same structural path: a trusted extension vendor becomes the attack vector against a payment-handling platform, and the platform operator is unaware until forensic review. The Mirasvit CacheWarmer flaw enables the same insertion point via PHP object injection rather than JavaScript skimming.

Counter-parallel: The 2022 Magecart Group 8 campaign against Segway's Magento store ran for five weeks before detection despite a public patch being available. The nine-day CISA mandate in CVE-2026-45247 compresses that window dramatically, but only for FCEB agencies; private e-commerce operators who constitute the vast majority of the exposed population face no binding timeline.

Magento and Adobe Commerce collectively host an estimated 250,000 active storefronts globally. A successful RCE on a payment-processing store allows attackers to install JavaScript skimmers, pivot to hosted payment page environments, or exfiltrate PCI-DSS-scoped cardholder data.

PCI DSS v4.0 (mandatory from March 2025) requires payment page script-Integrity monitoring; stores without that control face both card-brand fines and potential liability for fraudulent charges routed through compromised checkout flows.

For UK merchants specifically, ICO enforcement precedent from the British Airways £20 million fine (2020) and the Ticketmaster £1.25 million fine (2024, also a Magecart supply-chain attack) establishes that extension-origin compromises do not reduce GDPR Article 32 liability. A Magento store operating in the UK or EU with an unpatched CacheWarmer extension faces the same fine exposure as if the breach vector were a first-party platform flaw.

Consensus view: The SANS Internet Storm Center and Sansec both document a structural pattern where Magento third-party extension vendors ship security fixes weeks after the parent platform patch cycle closes, leaving store operators in a gap between Adobe's update rhythm and extension maintainers' own cadences. CVE-2026-45247 cleared that gap in nine days rather than the typical 45-90 day window observed in prior Magento supply-chain events.

Counter-view: The Korea Internet & Security Agency (KISA) argued in its 2025 e-commerce threat review that mandatory extension-vendor security audits, as proposed under the EU Cyber Resilience Act (CRA), would fragment the Magento marketplace faster than the vulnerability exposure itself; smaller vendors would exit rather than carry audit overhead, concentrating risk in a shrinking approved pool.

Key tension: Whether CISA's Binding Operational Directive 22-01 patch-window model, calibrated for first-party vendor patches, can be applied meaningfully to third-party extension flaws where the remediating party is not the platform owner.

Sources:CISA·The Hacker News

Mentions:CVE-2026-45247 →CISA →Known Exploited Vulnerabilities →CVE-2023-50224 →Mirasvit →Adobe Inc. →Drupal →Sansec →Imperva →FCEB →United Kingdom →Cyber Resilience Act →Australia →Common Vulnerability Scoring System →France →United States →Magento →

First Reported In

Update #6 · The 2024 patch that is breaking now

CISA· 7 Jun 2026

Read original →

Causes and effects

Caused by

GRU hijacks home routers for M365 logins

The 17-year-old Office RCE listed by CISA in April (ID:2547) established the pattern of legacy CVEs entering active exploitation long after patching; the Magento KEV addition nine days after Adobe's patch follows the same patch-lag dynamic.

Occurred 7 Apr 2026

Read story →

cPanel zero-day ran 65 days before patch; Sorry ransomware active

The cPanel zero-day ran for 65 days before disclosure (ID:3125); the Magento flaw compresses the risk window to nine days between patch and federal mandate, making the squeeze the short patch-to-enforcement gap rather than a disclosure lag.

Occurred 30 Apr 2026

Read story →

This Event

Magento RCE forces 9-day patch race

A no-login remote-code-execution flaw in a common Magento extension leaves any unpatched store reachable from the open internet, with a federal patch mandate landing barely a week after the fix.

Led to

Arista refuses to patch KEV flaw

Early-June KEV batch additions (Magento, WebLogic) established the velocity context for the 9 June additions including Arista EOS and Chrome V8.

Occurred 9 Jun 2026

Read story →

SolarWinds Serv-U back on KEV list

The early-June KEV batch (Magento, WebLogic) established the velocity context in which the 5 June SolarWinds Serv-U addition landed.

Occurred 5 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.