Magento Mirasvit CVE-2026-45247: NC E-Commerce SMB Plan

TL;DR: On June 3, 2026, CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog, a CVSS 9.8 unauthenticated remote code execution flaw in the Mirasvit Full Page Cache Warmer extension for Magento and Adobe Commerce. An attacker submits a crafted CacheWarmer cookie and executes arbitrary PHP on the storefront, with no login, no admin path, and no warning. The federal patch deadline under BOD 22-01 is June 6, 2026, and Imperva has confirmed active in-the-wild exploitation against business and gaming sites in the US, UK, France, and Australia. For NC e-commerce SMBs, especially the Piedmont Triad's furniture, textile, and home-goods sellers who rely on Magento, this is a Magecart-class incident that doubles as a PCI-DSS exposure.

Key takeaway: A pre-auth RCE on a Magento storefront is a direct path to a card skimmer and a PCI-DSS breach. CVSS 9.8, no auth, no clicks, full PHP execution. Patched-by-June-6 is the only defensible posture.

Need a Magento patch and Magecart sweep this week? Preferred Data Corporation runs e-commerce incident response sprints for NC small businesses. Call (336) 886-3282 or request an e-commerce patch sprint.

What is Magento Mirasvit CVE-2026-45247?

CVE-2026-45247 is a critical, unauthenticated, pre-authentication PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento and Adobe Commerce. Per Sansec's May 26, 2026 research disclosure, the flaw is triggered by a specially crafted CacheWarmer cookie that the extension deserializes without validation, allowing the attacker to execute arbitrary PHP in the context of the web server.

Three details define the blast radius:

CVSS 9.8 (Critical). Network-reachable, no privileges required, no user interaction, per The Hacker News coverage of the KEV addition.
Pre-auth. The attacker does not need a customer account, an admin login, or any prior access; the exploit fires on any HTTP request that reaches the cache warmer logic.
Storefront compromise equals payment-page compromise. PHP-as-the-web-server on a Magento checkout host yields web shell deployment, admin user creation, database export, and most consequentially, Magecart-style payment card skimmer injection.

Mirasvit patched the flaw in version 1.11.12, released May 25, 2026, one day before public disclosure. CISA's June 3, 2026 KEV addition set the federal civilian patch deadline at June 6, 2026 under BOD 22-01, and while BOD 22-01 binds federal agencies, the KEV catalog is the de facto SMB patch list for any business carrying cyber insurance or processing card payments.

Why is a Magento storefront RCE catastrophic for an NC e-commerce SMB?

Because the Piedmont Triad is the home of NC's furniture, textile, and home-goods e-commerce sector, and a large share of those storefronts run on Magento or Adobe Commerce with third-party extensions like Mirasvit's. Three patterns concentrate the risk for High Point, Greensboro, Winston-Salem, Charlotte, and Raleigh sellers:

PHP execution on the checkout host means card data is in reach. Even if PCI-DSS scope is limited via tokenization or a hosted payment iframe, a server-side PHP shell can rewrite the checkout template, inject a Magecart skimmer that captures the iframe input via DOM tricks, or redirect users to an attacker-controlled checkout.
Magento extensions are a documented supply chain weak point. Per Sansec's research, unsafe PHP object deserialization in third-party Magento modules has been a recurring class of pre-auth RCE for years, and most NC SMB Magento installs run between 10 and 40 third-party extensions across catalog, search, SEO, performance, and payments.
A confirmed card-data breach triggers PCI-DSS forensic obligations and state notification. Under PCI-DSS 4.0.1, a suspected compromise of cardholder data requires a PFI (PCI Forensic Investigator) engagement, and under NC's Identity Theft Protection Act (N.C. Gen. Stat. § 75-65), NC residents must be notified without unreasonable delay. PFI engagements routinely run six figures even for SMBs.

For an NC furniture e-commerce SMB doing $5M-$50M in online revenue, a card skimmer running for even two weeks can produce thousands of compromised cards, a card-brand fine, a payment processor that drops you to a higher-risk merchant category, and a PCI Level escalation that adds quarterly external scans and annual on-site assessment to the compliance load.

How do I check if my NC store runs the Mirasvit Cache Warmer?

Use this checklist on every Magento or Adobe Commerce storefront you operate. If you are not the technical admin, send this to your developer or Preferred Data Corporation and ask for written confirmation today.

Check	Where to look	What "exposed" looks like
Is the Mirasvit Full Page Cache Warmer extension installed?	Magento admin → Stores → Configuration → Mirasvit, or `composer show \| grep mirasvit`	Any `mirasvit/module-cache-warmer` entry
What version is running?	`composer show mirasvit/module-cache-warmer` or extension settings page	Anything below 1.11.12 is exposed
Was the patch applied on or after May 25, 2026?	Server file mtime on the module, `composer.lock` timestamp, deployment log	Any earlier date is exposed
Do server access logs show `CacheWarmer` cookies from unfamiliar IPs?	Web server access logs (Nginx, Apache, Varnish)	Any inbound request with a `CacheWarmer` cookie from a non-internal IP since May 26, 2026
Are there unexpected PHP files in `pub/`, `var/`, or `media/`?	File system audit, `find . -name "*.php" -mtime -30`	New PHP files in writable directories warrant a web shell hunt

A fast self-check from the server CLI: composer show mirasvit/module-cache-warmer returns the installed version. If it is below 1.11.12, the storefront is exposed and was likely exposed during the active exploitation window confirmed by Imperva.

What is the right response this week?

Sequence the response in three phases. The federal deadline is June 6, 2026, which means SMBs should treat the same window as binding, not aspirational.

Patch every Magento and Adobe Commerce storefront by June 6, 2026 (this week). Update Mirasvit Full Page Cache Warmer to version 1.11.12 or later via Composer. Clear cache. Redeploy. If you cannot patch within 72 hours, disable the Mirasvit Cache Warmer module entirely via bin/magento module:disable Mirasvit_CacheWarmer and run bin/magento setup:upgrade until the patch can be staged.
Hunt for compromise in the prior 30 days (next 48 hours). Per Imperva's exploitation timeline, in-the-wild exploitation began shortly after Sansec's May 26, 2026 disclosure and likely earlier in private use. Pull web server access logs for CacheWarmer cookie requests. Hunt for new PHP files in pub/, var/, media/, and app/code/. Diff the checkout templates against your last verified backup. Look for outbound HTTP POSTs from the storefront to unknown domains, the classic Magecart exfiltration pattern.
Reduce blast radius (next 14 days). Inventory every third-party Magento extension and assign each an owner and patch cadence. Enable a web application firewall (WAF) in front of the storefront with rules for PHP object injection patterns. Restrict file write permissions on pub/, var/, and media/. Implement Subresource Integrity (SRI) on checkout-page scripts. Document the audit trail for the next PCI-DSS attestation.

Quotable definition: A pre-auth RCE in a third-party Magento extension is a supply chain vulnerability, not a Magento core vulnerability. The defensible posture is an extension inventory with a per-extension patch SLA, the same way you treat operating system patches.

How do I prevent Magecart skimmer injection after a Magento RCE?

Patching closes the exploit path, but does not undo a skimmer that was installed during the unpatched window. Three numbers frame why post-patch hunting is non-negotiable:

CVE-2026-45247 was publicly disclosed by Sansec on May 26, 2026, with patches available May 25, 2026, per Sansec's research.
CISA added the CVE to KEV on June 3, 2026, eight days after public disclosure, per CISA's alert.
Imperva confirmed active in-the-wild exploitation against business and gaming sites in the US, UK, France, and Australia during this window, per Imperva's customer advisory.

If your storefront was unpatched at any time between May 25 and your patch date, treat the storefront as potentially compromised until a Magecart and web shell sweep confirms otherwise. Indicators to hunt include:

New or modified .phtml, .php, or .js files in pub/static/, pub/media/, or app/design/frontend/.
New admin users in Magento that you did not create, especially with generic email domains.
Outbound HTTPS POSTs from the web server to domains that do not match payment processor, analytics, or shipping carriers.
Base64-encoded blobs in checkout-related JavaScript that were not there in your last clean release.
Modified index.php or pub/index.php with prepended PHP that re-includes a remote URL.
Database core_config_data rows that reference unfamiliar external URLs.

What does PCI-DSS require after a Magento compromise?

PCI-DSS 4.0.1 treats a suspected compromise of the cardholder data environment as a triggering event. Three obligations land on the merchant fast:

Notify the acquiring bank and card brands without delay. Most merchant agreements specify hours, not days. Failure to notify is its own contract breach.
Engage a PCI Forensic Investigator (PFI) if the card brands require one. For confirmed Magecart-style compromises with cardholder data exposure, PFI engagement is routine. PFI costs commonly start in the low six figures for SMB scope and can run higher depending on storefront complexity.
Re-attest after remediation. Even a Level 4 self-assessing merchant can be moved to a higher level after a confirmed compromise, which adds quarterly external scans (ASV scans) and potentially an annual on-site assessment.

Under North Carolina's Identity Theft Protection Act, NC residents whose payment card data was exposed must be notified without unreasonable delay, and the NC Attorney General must be notified if the breach affects 1,000 or more residents. For an e-commerce SMB with national reach, layered state notification requirements compound quickly.

The takeaway: the cost of a confirmed Magecart breach on an NC e-commerce SMB is rarely under six figures even before card-brand fines and chargebacks. The cost of a 72-hour patch window plus a one-day forensic sweep is a small fraction of that.

Want a managed partner to run a Magento patch and Magecart sweep this week? Call (336) 886-3282 or request a Magento incident response sprint.

Mirasvit CVE-2026-45247 timeline at a glance

Date	Event	Source
May 25, 2026	Mirasvit releases patch (Cache Warmer 1.11.12)	Sansec research
May 26, 2026	Sansec publicly discloses CVE-2026-45247	Sansec research
Late May 2026	Imperva observes active in-the-wild exploitation in US, UK, France, Australia	Imperva advisory
June 3, 2026	CISA adds CVE-2026-45247 to KEV	CISA alert
June 6, 2026	Federal civilian patch deadline under BOD 22-01	CISA alert

How does Preferred Data Corporation help NC e-commerce SMBs?

Preferred Data Corporation supports NC e-commerce SMBs with three things that close the Mirasvit gap quickly and keep PCI-DSS posture intact:

Managed cybersecurity with web application firewall tuning, Magecart hunt-team sweeps, web shell detection, 24/7 monitoring for outbound exfiltration from storefront hosts, and incident response retainer for e-commerce compromise.
Custom software development including secure code review of Magento extensions, DevSecOps pipelines that fail builds on known-vulnerable PHP packages, and Composer-based dependency monitoring so extension CVEs surface the day they are published.
Managed IT services with a documented third-party-extension patch SLA, change management for Magento deployments, and rollback playbooks so a critical patch never becomes a production outage.

PDC has supported NC small businesses, manufacturers, distributors, and home-goods sellers for over 37 years, with on-site coverage within 200 miles of High Point covering the entire Piedmont Triad, Charlotte, Raleigh, and Winston-Salem metros. The combination of local context, manufacturing and retail experience, and national-grade tooling is what gets a Magento storefront patched and verified inside the CISA KEV deadline, not weeks later.

Frequently Asked Questions

Which Magento and Adobe Commerce versions are affected by CVE-2026-45247?

Per Sansec's research, the vulnerability lives in the Mirasvit Full Page Cache Warmer extension itself, not in Magento or Adobe Commerce core. Any storefront running the extension below version 1.11.12 is exposed regardless of the underlying Magento Open Source or Adobe Commerce version. The fix is updating the extension to 1.11.12 or later.

What does the `CacheWarmer` cookie exploit actually do?

Per Sansec and SecurityWeek, the attacker sends an HTTP request that includes a CacheWarmer cookie containing a serialized PHP object payload. The extension deserializes the cookie without validation, which triggers PHP object injection and lets the attacker chain "gadget" classes to execute arbitrary PHP. The result is full code execution as the web server user, no login required.

What if I cannot patch within the June 6, 2026 federal deadline?

If you cannot patch the extension in time, disable the Mirasvit Full Page Cache Warmer module entirely via bin/magento module:disable Mirasvit_CacheWarmer and run bin/magento setup:upgrade. Then deploy a WAF rule that blocks any inbound HTTP request containing a CacheWarmer cookie. These are stopgaps, not fixes. The extension still needs to be patched and re-enabled as soon as a maintenance window allows.

How do I know if my storefront has already been compromised?

Look for new PHP files in writable Magento directories (pub/, var/, media/), unexpected admin users, modified checkout JavaScript, and outbound HTTPS POSTs from the storefront host to domains outside your normal payment, analytics, and shipping integrations. Per Imperva, exploitation has been observed against business and gaming sites in the US, UK, France, and Australia, so the assumption for any unpatched NC storefront should be "compromised until proven clean," not the reverse.

Will my cyber insurance cover a CVE-2026-45247 Magecart breach?

Likely with significant scrutiny. Most 2026 cyber insurance questionnaires ask whether the insured patches CISA KEV entries within the binding deadline. With CVE-2026-45247 on KEV since June 3, 2026 and a June 6, 2026 deadline, an unpatched storefront after that date is a documented control failure. Expect requests for patch evidence, WAF logs, web server access logs, and a PFI report before any payout decision is made.

Does PCI-DSS 4.0.1 require us to disclose a Magento RCE even if no card data was confirmed stolen?

PCI-DSS 4.0.1 obligates the merchant to notify the acquiring bank and card brands of any suspected compromise of the cardholder data environment. The card brands decide whether a PFI engagement is required. A pre-auth RCE on a storefront that hosts the payment page is, by default, a suspected CDE compromise. The decision to engage a PFI is not the merchant's to make unilaterally.

Managed Cybersecurity Services for NC Businesses - 24/7 monitoring, web shell detection, Magecart sweeps
Custom Software Development for NC Businesses - DevSecOps, Composer dependency monitoring, secure code review
Managed IT Services for NC Businesses - Third-party extension patch SLA, change management
Drupal CVE-2026-9082 NC SMB Web Response Plan - Same-class CMS CVE companion
WP Maps Pro CVE-2026-8732 NC SMB WordPress Plan - WordPress third-party extension companion
Windows Netlogon CVE-2026-41089 NC SMB Patch Plan - Same-week pre-auth RCE companion
Contact Preferred Data Corporation - Schedule a Magento patch and Magecart sweep