CISA Adds Magento RCE CVE-2026-45247 to KEV Catalog

CISA Flags Magento RCE Flaw CVE-2026-45247 as Actively Exploited

CISA has added CVE-2026-45247, a critical remote code execution vulnerability in Magento, to its Known Exploited Vulnerabilities catalog. That designation is not bureaucratic housekeeping. It means federal agencies have a hard deadline to patch, and it signals that real attackers are actively using this flaw in the wild. If you run a Magento-based storefront, this one demands immediate attention.

The KEV catalog entry confirms what security researchers had suspected: exploitation of this Magento RCE flaw is no longer theoretical. Threat actors are scanning for unpatched instances and executing arbitrary code on vulnerable servers.

How the CVE-2026-45247 Remote Code Execution Vulnerability Works

The vulnerability exists in Magento's core request handling layer. Specifically, the flaw allows an unauthenticated attacker to send a crafted HTTP request that bypasses input sanitization and passes unserialized data into a code execution path. No login required. No elevated privileges needed on the attacker's side.

Once the payload lands, the attacker gains execution context under the web server process. From there, the typical attack chain includes dropping a web shell, exfiltrating the database (customer PII, payment tokens, order history), and establishing persistence through cron-based backdoors or modified layout XML files.

Magento's plugin architecture makes this worse. Third-party extensions often extend core classes, and a patched core does not guarantee patched extensions that inherit vulnerable methods.

What Developers and Store Owners Are Actually Risking

Payment data is the obvious target. Magento stores frequently hold or process card data, and a compromised server can intercept checkout flows even if you use a hosted payment page, through client-side script injection (Magecart-style attacks).

Beyond payment data, think about what else lives on your server. Customer email lists, admin credentials, API keys to shipping providers and ERPs. A full compromise hands attackers a pivot point into your broader infrastructure.

For agencies running Magento on behalf of clients, the liability exposure is significant. A breach tied to an unpatched known-exploited vulnerability is hard to defend in any post-incident review.

How to Protect Your Magento Installation Right Now

Patch first, everything else second. Adobe has released a security update addressing CVE-2026-45247. Apply it to all Magento instances immediately, including staging environments that share database credentials with production.

After patching, take these steps:

• Audit web shell presence. Check your pub/, media/, and var/ directories for unexpected PHP files. Attackers commonly drop shells in writeable directories.
• Review admin accounts. Look for new admin users created recently. Disable any you cannot attribute.
• Rotate credentials. Change database passwords, API keys, and admin passwords, especially if you cannot confirm your instance was clean before the patch.
• Enable a WAF rule. Deploy a rule targeting deserialization payloads and malformed POST bodies directed at Magento endpoints. This is a mitigation layer, not a replacement for patching.
• Scan your application. Run an automated DAST scan to verify the patch closed the attack surface and to catch any secondary vulnerabilities that may have been introduced.

Magento's attack surface is broad. A single patch does not mean your store is clean if exploitation occurred before you applied it.

FAQ

Does this vulnerability affect both Magento Open Source and Adobe Commerce? Yes. CVE-2026-45247 affects both distributions. Check Adobe's security bulletin for the specific version ranges and apply the appropriate patch for your edition.

How can I tell if my Magento site was already compromised before patching? Look for unfamiliar PHP files in writeable directories, unexpected admin accounts, modified template or layout files, and outbound network connections from your web server process. A forensic review of access logs around the public disclosure date is also worth doing.

Is a WAF enough to block this exploit without patching? No. WAF rules can reduce exposure and block some attack variants, but they can be bypassed. Patching is the only reliable fix. Use the WAF as a temporary layer while you schedule and apply the update.

Run a full vulnerability scan on your Magento store at VibeWShield /scan to verify your patch is effective and catch any residual attack surface.