Ddos 
A critical security vulnerability now threatens thousands of e-commerce storefronts globally. Specifically, security researchers uncovered a severe Cache Warmer RCE flaw within a popular full-page cache extension. This specific bug impacts platforms running Magento and Adobe Commerce. Therefore, online merchants must take rapid action to protect their financial infrastructure.
Understanding the Vulnerability Mechanics
The flaw, tracked as CVE-2026-45247, holds a critical severity rating of 9.8. Attackers can exploit this loophole by manipulating standard visitor cookies. According to Sansec, “Any storefront request carrying a crafted Cache Warmer cookie reaches PHP’s native unserialize() on attacker-controlled data”. Consequently, the extension deserializes the malicious client data without any restrictions. This action triggers a dangerous Magento PHP object injection on the host server.
Widespread E-Commerce Impact
Furthermore, the security loophole requires zero administrative privileges to execute. Cybercriminals do not need an active admin session or specific configuration toggles. Instead, combining this asset with an existing gadget chain allows remote code execution. Automated scans already identified roughly 6,000 compromised stores running the vulnerable extension. However, the real infection numbers are likely much higher due to content delivery networks.
Remediating the Threat
Fortunately, the development team has already launched an immediate defense. To eliminate the Cache Warmer RCE flaw, merchants must upgrade to version 1.11.12 immediately. Additionally, defenders can actively monitor their server traffic logs for unique attack signatures. Specifically, “Serialized PHP objects base64-encode to values starting with Tz, Qz or YT”. Thus, tracking these markers will help secure your digital storefront effectively.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
