Lead Story | Critical — Active Exploitation | Enterprise · Dev |
|
A third-party Magento cache plugin is handing attackers full store takeover — CVE-2026-45247 is unauthenticated RCE, and it is already being exploited
The Mirasvit Full Page Cache Warmer extension deserializes an attacker-controlled cookie on ordinary storefront requests, turning a single unauthenticated HTTP request into remote code execution; CISA added the flaw to its Known Exploited Vulnerabilities catalogue on June 3 after researchers observed live attacks.
CVE-2026-45247 sits in Mirasvit’s Full Page Cache Warmer, a popular third-party Magento and Adobe Commerce extension. On a normal storefront request, the extension hands the contents of a client-supplied CacheWarmer cookie to PHP’s unserialize() with no allowlist of permitted classes. An attacker can then chain Magento’s existing gadget classes into remote code execution with no login, no admin rights, and no special configuration. It is rated 9.8, the maximum severity. Sansec counts roughly 6,000 stores running Mirasvit extensions, and Imperva reports live exploitation against retail and other sites. The Hacker News → Imperva →
A compromised storefront is the worst case for a merchant: attackers can plant card skimmers, steal customer and order data, and pivot deeper into payment infrastructure, all while the site looks normal. Mirasvit shipped the fix in version 1.11.12 on May 25, but unpatched stores remain exposed and, given the KEV listing, are being hunted now. SecurityWeek →
→ Key Takeaway This is a confirmed, actively exploited, unauthenticated RCE in a widely installed Magento extension — the kind of flaw that ends in card-skimming and customer-data theft on a live storefront. The patch (Mirasvit 1.11.12) shipped May 25, so any store still on an earlier version should be treated as potentially already compromised. Action: Ask your e-commerce or web team to confirm Mirasvit Full Page Cache Warmer is on 1.11.12 or later, and to hunt for the exploit indicator — incoming CacheWarmer cookies whose base64 value starts with Tz, Qz, or YT — across recent web logs. |
CVE Watch
|
CVE Watch
CVE-2026-49975 (HTTP/2 Bomb): A Single Connection Can Exhaust a Web Server’s Memory in Seconds — Major Servers Only Partly Patched
CVE-2026-49975, disclosed June 3 by Calif and nicknamed the HTTP/2 Bomb, abuses default HTTP/2 behaviour: an attacker seeds the HPACK header-compression table with one large entry, then sends thousands of one-byte references to it while holding the flow-control window open, forcing the server to allocate and retain enormous amounts of memory. Calif reports that a single residential connection can exhaust roughly 32 GB of RAM in about 10 seconds, with amplification of several thousand to one, and estimates more than 880,000 sites run vulnerable default configurations across NGINX, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw was surfaced with help from OpenAI’s Codex; nginx fixed it in 1.29.8 (adding a max_headers limit) and Apache shipped a mod_http2 update, but IIS, Envoy, and Cloudflare Pingora had no fix at disclosure. No in-the-wild exploitation is confirmed, but a public proof-of-concept exists, so apply the available patches and cap HTTP/2 header counts where you can. Bleeping Computer → oss-security →
| Product: NGINX / Apache httpd / IIS / Envoy / Cloudflare Pingora · CVE: CVE-2026-49975 · CVSS: 7.5 (denial-of-service impact); some trackers list 9.8 with a confidentiality/integrity vector that does not fit a memory-exhaustion DoS — confirm against NVD · Attack Vector: Network (unauthenticated, HTTP/2) · Affected: Default HTTP/2 configurations of the servers above · Fix: nginx 1.29.8, Apache mod_http2 update; IIS / Envoy / Cloudflare Pingora unpatched at disclosure · Status: Public PoC and disclosure (June 3, 2026); no confirmed in-the-wild exploitation |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM-01 — Detect: Continuous Monitoring
You Can Catch This Magento Exploit in Your Web Logs Today
NIST CSF 2.0 DE.CM-01 requires that “Networks and network services are monitored to find potentially adverse events” — and the Mirasvit attack is detectable precisely there, because the exploit rides an ordinary storefront request carrying a malicious CacheWarmer cookie. Monitoring that flags anomalous cookies and deserialization payloads at the web tier turns an active RCE campaign from invisible into something your team can find and block. Action: Have your security team search WAF and web-server logs for CacheWarmer cookies with base64 values beginning Tz, Qz, or YT, and alert on PHP object-injection patterns in inbound requests. NIST CSF 2.0 reference: csf.tools/de-cm-01 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (19 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
