What Happened
CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, following confirmed active exploitation of a critical flaw in the Mirasvit Full Page Cache Warmer extension for Adobe Commerce and Magento. The vulnerability carries a CVSS score of 9.8 and is classified as a deserialization of untrusted data issue — a PHP object injection flaw that allows unauthenticated attackers to execute arbitrary code on the server.
All versions of the Mirasvit Full Page Cache Warmer extension prior to 1.11.12 are affected. With more than 150,000 installations worldwide, the extension is a widely deployed performance optimization tool across e-commerce storefronts built on Adobe Commerce and Magento. Patches were released by Mirasvit on May 25, 2026. Active exploitation is confirmed, and CISA has set a June 24, 2026 remediation deadline for U.S. federal civilian agencies. Exploitation activity is targeting gaming and business-oriented storefronts, with the United States, United Kingdom, France, and Australia among the most impacted countries.
A successful attack gives the threat actor full control over the web server process, the underlying filesystem, and any connected databases — including customer records, payment tokenization data, and stored credentials.
Why This Matters for Canadian Organizations
Canada has a large Magento and Adobe Commerce footprint across retail, specialty e-commerce, and small-to-medium business sectors. Web agencies, managed service providers, and direct operators running the Mirasvit cache warmer on behalf of clients are each exposed. An unauthenticated attacker does not need a customer account or insider knowledge of the target system — the exploit path begins from an ordinary HTTP request.
Under PIPEDA, any breach of customer personal information — including names, addresses, email addresses, and order histories held in a Magento database — triggers mandatory breach notification obligations to the Office of the Privacy Commissioner and potentially to affected individuals. A full server compromise of this nature would meet the “real risk of significant harm” threshold. Organizations operating under Quebec’s Law 25 face additional obligations with shorter notification timelines.
Canadian e-commerce operators should treat this vulnerability with the same urgency as any actively exploited authentication bypass. Do not wait for a scheduled maintenance window.
What to Do
Update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later immediately. If you run Adobe Commerce or Magento through a hosting provider or web agency, confirm with your provider whether the extension is installed and whether it has been patched. Review web server access logs for unusual PHP execution activity, unexpected admin account creation, or anomalous database queries going back to at least May 25, 2026.
If you cannot patch immediately, consider temporarily disabling the Mirasvit cache warmer extension and replacing it with basic server-side caching until the update is applied. Disable public-facing Magento admin endpoints from untrusted IP ranges where possible.
Source: The Hacker News, SecurityWeek, CISA
