Magento 2 storefronts are direct revenue systems; a successful exploit gives attackers complete server control, enabling theft of customer payment data, order histories, and account credentials without any warning to the business or its customers. Attackers commonly deploy silent JavaScript skimmers on compromised Magento instances, siphoning payment card data from every transaction processed after compromise — creating PCI-DSS breach liability and potential card brand fines. The unauthenticated nature of this vulnerability means any internet-exposed storefront is a viable target for automated scanning tools, and CISA's KEV listing confirms exploitation is already underway at scale.
You Are Affected If
You run Mirasvit Full Page Cache Warmer for Magento 2 at any version before 1.11.12
Your Magento 2 storefront is internet-facing (directly or via CDN) without a WAF blocking PHP deserialization patterns in cookie values
You have not applied the vendor patch released in version 1.11.12
Your Magento 2 dependency tree includes gadget-chain-bearing libraries (standard Magento 2 installations qualify by default)
The web server process runs with write permissions to pub/media, pub/static, or other web-accessible directories
Board Talking Points
A critical flaw in a Magento e-commerce extension lets attackers take full control of our online store with no password required — and active attacks are confirmed by US federal authorities.
The security team must upgrade the affected extension to version 1.11.12 immediately; if that takes more than 24 hours, the site should be firewalled or the extension disabled until patching is complete.
Failure to act within 24–48 hours risks a payment data breach, silent card skimming on every customer transaction, regulatory fines, and potential card brand penalties that could suspend our ability to process payments.
PCI-DSS — Magento 2 is a payment card processing platform; unauthenticated RCE enabling server control and JavaScript skimmer deployment directly implicates cardholder data environment security under PCI-DSS Requirements 6.3 (vulnerability management), 6.4 (web-facing application protection), and 12.10 (incident response)
GDPR / regional data protection law — Magento 2 storefronts typically process EU customer PII (name, address, email, order history); server compromise triggering unauthorized access to that data may constitute a reportable breach under Article 33, requiring notification within 72 hours of discovery
