CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency added a critical deserialization flaw in Mirasvit Cache Warmer to its Known Exploited Vulnerabilities catalog this week.

The extension is a popular Magento full-page cache optimizer. If you're running Magento with this plugin, you are in scope.

CVE-2026-45247 carries a CVSS score of 9.8. Deserialization of untrusted data. Remote code execution. Actively exploited.

CISA gives federal agencies until June 24 to patch or pull the systems offline. That three-week window is standard for KEV-catalogued flaws with active exploitation. The private sector should treat that as a maximum, not a recommendation.

I do not have technical details on the exploitation chain beyond the vulnerability type. Deserialization bugs in Magento extensions are not new. They typically allow an attacker to inject malicious objects that execute during unserialization, leading to full server compromise. The 9.8 CVSS confirms this is wormable or close to it.

If you are running Mirasvit Cache Warmer, verify your version against the vendor's advisory. Patch. If you cannot patch immediately, consider disabling the extension or restricting access to the admin panel at the network layer.