The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the Mirasvit Full Page Cache Warmer extension to its Known Exploited Vulnerabilities (KEV) catalog, according to a report by Security Affairs. The flaw affects a widely used performance optimisation extension for Adobe Commerce and Magento-based online stores, and its inclusion in the KEV catalog confirms that active exploitation has been observed in the wild.
Mirasvit Full Page Cache Warmer pre-generates cached versions of storefront pages to improve load times. A vulnerability in such a widely deployed e-commerce component raises serious concerns for online retailers globally, given that attackers targeting a cache manipulation layer could potentially alter storefront content, inject malicious payloads, or disrupt service availability.
What the KEV Listing Means
Under Binding Operational Directive 22-01, all U.S. federal civilian agencies are required to remediate any vulnerability listed in the KEV catalog within a specified deadline. Once CISA adds a flaw to this catalog, it effectively serves as a signal to the broader security community that the vulnerability is being actively exploited and demands immediate attention — regardless of whether an organisation falls under the directive's jurisdiction.
For any business running Adobe Commerce or Magento stores with the Mirasvit cache extension installed, the message is clear: patching or mitigating this vulnerability should be treated as urgent.
Recommended Actions
Organisations running Mirasvit Full Page Cache Warmer should:
- Check the installed version and consult Mirasvit's official advisories for available patches or fixed releases.
- Monitor for indicators of compromise, particularly any unexpected changes to cached page content or unauthorised administrative access.
- Assess exposure by identifying all Magento installations across the organisation and verifying extension inventories.
- Consider temporary mitigations, such as disabling the cache warmer module or implementing web application firewall rules, if a patch is not immediately available.
The inclusion of this vulnerability in the KEV catalog is a reminder that third-party extensions in the e-commerce ecosystem remain a high-value attack surface. Proactive vulnerability management — not just reactive patching — is essential for any organisation relying on Magento's extension ecosystem.
據《Security Affairs》報導,美國網絡安全暨基礎設施安全局(CISA)已將 Mirasvit Full Page Cache Warmer 擴充中的一個重大漏洞,加入其「已知遭利用漏洞」(Known Exploited Vulnerabilities,KEV)目錄。該漏洞影響 Adobe Commerce 及基於 Magento 的網店中一個廣泛使用的效能優化擴充,其被列入 KEV 目錄確認已在野外環境中觀察到其被積極利用。
Mirasvit Full Page Cache Warmer 會預先生成店面頁面的快取版本,以縮短載入時間。如此一個部署廣泛的電子商務元件出現漏洞,令全球線上零售商深感憂慮,因為針對快取操作層的攻擊者可能篡改店面內容、注入惡意負載,或破壞服務可用性。
KEV 列名的意義
根據約束性操作指令 22-01,所有美國聯邦民用機構必須在指定期限內,修復列入 KEV 目錄的任何漏洞。一旦 CISA 將某個漏洞加入此目錄,即向更廣泛的安全社群發出明確信號,表明該漏洞正被積極利用,需立即關注——無論相關機構是否受該指令管轄。
對於任何運行 Adobe Commerce 或 Magento 網店並安裝了 Mirasvit 快取擴充的企業而言,信息非常明確:應將修補或緩解此漏洞視為緊急任務。
建議採取的行動
運行 Mirasvit Full Page Cache Warmer 的機構應:
- 檢查已安裝的版本,並查閱 Mirasvit 的官方公告,以獲取可用的修補程式或已修正的版本。
- 監察入侵指標,特別留意快取頁面內容的任何異常變更或未獲授權的管理員存取。
- 評估曝露情況,識別機構內所有 Magento 安裝,並核實擴充元件清單。
- 考慮採取臨時緩解措施,例如停用快取加熱模組或實施網頁應用程式防火牆規則(若修補程式尚未可用)。
此漏洞被納入 KEV 目錄,再次提醒我們,電子商務生態系統中的第三方擴充元件仍是高價值的攻擊面。主動的漏洞管理——而非僅僅被動修補——對於任何依賴 Magento 擴充生態系統的機構而言至關重要。