CVE-2026-45247 Critical Patch Available

CVE-2026-45247: Mirasvit Full Page Cache Warmer — Unauthenticated PHP Object Injection RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2026-45247
CVSS Score 9.8
Severity Critical
Vendor Mirasvit
Product Full Page Cache Warmer for Magento 2
Patch Status Available
Published June 4, 2026
EPSS Score 0.1%
CISA Patch Deadline June 25, 2026

Background

Mirasvit Full Page Cache Warmer is a commercial Magento 2 and Adobe Commerce extension that pre-generates cached pages to improve storefront performance. The extension is widely deployed across Magento-based e-commerce sites, where full-page caching is a standard performance optimisation. By pre-warming the cache before real visitor requests arrive, it reduces server load and ensures customers experience fast page loads even on first visit.

Magento and Adobe Commerce stores are high-value targets for attackers due to their direct access to payment card data, customer PII, and order information. The Magento ecosystem has a history of severe extension-level vulnerabilities — the Magecart skimmer campaigns that compromised thousands of stores relied heavily on exploiting vulnerable third-party extensions to gain code execution on the web tier, from which payment data could be harvested. CVE-2026-45247 follows this pattern: a critical vulnerability in a popular extension that provides unauthenticated access to the underlying server.

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalogue following confirmed active exploitation, reflecting the high and immediate risk to Magento operators running unpatched versions of the extension.

Technical Mechanism

CVE-2026-45247 is a PHP object injection vulnerability (CWE-502) in Mirasvit Full Page Cache Warmer versions before 1.11.12. The flaw resides in how the extension processes the CacheWarmer HTTP cookie.

PHP’s native unserialize() function reconstructs PHP objects from a serialised string. When called on attacker-controlled input, it instantiates arbitrary class objects and invokes their __wakeup() and __destruct() magic methods during the reconstruction process. If the classes available in the current PHP process have methods that can be chained to produce dangerous operations — so-called “gadget chains” — an attacker can trigger arbitrary code execution purely by supplying a crafted serialised payload.

The exploit flow for CVE-2026-45247:

  1. An attacker sends any HTTP request to a Magento storefront with a crafted CacheWarmer cookie value
  2. The Cache Warmer extension reads the cookie value and passes it directly to PHP’s unserialize() function without filtering or class allowlisting
  3. PHP reconstructs the attacker-specified object graph, triggering magic method calls on the instantiated objects
  4. Using gadget chains from classes available in the Magento application — notably classes from the Monolog logging library bundled with Magento — the deserialization chain escalates to OS command execution
  5. Observed payloads invoke system() and current() to execute arbitrary shell commands on the underlying server

No authentication, no admin session, no configuration toggle, and no specific endpoint is required. Any storefront HTTP request — including anonymous browsing requests — carries the opportunity for exploitation if the CacheWarmer cookie is included.

The CVSS 3.1 score of 9.8 (Critical) reflects the combination of network attack vector, low complexity, no privileges required, and no user interaction — all factors that maximise the ease and scalability of exploitation.

Real-World Exploitation Evidence

Active exploitation of CVE-2026-45247 was observed by Imperva shortly after public disclosure, with attack traffic containing base64-encoded serialised PHP object payloads submitted in the CacheWarmer cookie. The payloads followed patterns consistent with Monolog-based gadget chain exploitation.

CISA’s addition of CVE-2026-45247 to KEV confirms that exploitation was observed against real targets, not merely in controlled proof-of-concept demonstrations.

Magento stores have been a persistent target for financially motivated attackers:

  • Magecart / skimmer operations: Threat actors achieving code execution via Magento extensions have historically deployed JavaScript skimmers in checkout pages to harvest payment card numbers at point of entry, exfiltrating data before any encryption
  • Credential harvesting: Server-side code execution enables direct database access, from which customer email/password hashes and stored payment tokens can be extracted
  • Backdoor deployment: Web shells placed in publicly accessible directories provide persistent access for follow-on operations

Given the unauthenticated, network-accessible nature of CVE-2026-45247, automated mass-scanning exploitation is realistic. Operators of Magento stores running affected extension versions should treat this as an active incident risk, not merely a patch management issue.

Impact Assessment

Successful exploitation of CVE-2026-45247 provides an unauthenticated attacker with:

  • Arbitrary OS command execution on the web tier under the web server process user (typically www-data, nginx, or apache)
  • Direct database access: Magento’s env.php configuration file, readable by the web server user, contains plaintext database credentials — granting full read/write access to the Magento MySQL database including customer PII, order history, and stored payment tokens
  • Web shell deployment: Files can be written to the Magento web root or media directories, establishing persistent access that survives extension patching
  • Payment data exposure: Any cardholder data stored in the database or accessible from the web tier (including pending order data) is exposed
  • GDPR and PCI-DSS breach exposure: Compromise of customer data and payment card information carries regulatory notification obligations and financial penalties

For multi-tenant hosting environments where multiple Magento stores share a server, exploitation of one store may enable lateral movement to adjacent stores through shared filesystem access or credentials.

Affected Versions

ProductAffected VersionsFixed Version
Mirasvit Full Page Cache Warmer for Magento 2All versions before 1.11.121.11.12 (released 25 May 2026)
Adobe Commerce (using affected extension)All versions with extension < 1.11.12Update extension to 1.11.12
Magento Open Source (using affected extension)All versions with extension < 1.11.12Update extension to 1.11.12

Note: The vulnerability is in the Mirasvit extension itself, not in Magento core or Adobe Commerce platform code. The Magento/Adobe Commerce version is not the determining factor — the extension version is.

Remediation Steps

  1. Update Mirasvit Full Page Cache Warmer to version 1.11.12 or later via the Mirasvit customer portal or Composer: 
    composer require mirasvit/module-cache-warmer:^1.11.12
php bin/magento setup:upgrade
php bin/magento cache:flush
  2. If immediate patching is not possible, consider disabling the extension temporarily by commenting out or removing its autoload registration — this removes the vulnerability at the cost of cache warming functionality
  3. Review web server and application logs for requests containing CacheWarmer cookie values matching the pattern CacheWarmer:(Tz|Qz|YT) — these are indicators of exploitation attempts
  4. Audit recently modified files in the Magento web root and subdirectories, particularly PHP files in pub/, pub/media/, and pub/static/: 
    find /var/www/html -name "*.php" -newer /var/www/html/composer.json -ls
  5. Review the database for unauthorised admin accounts or recently created admin sessions
  6. Rotate database credentials in app/etc/env.php if exploitation is suspected, and update all systems using those credentials
  7. Consider a full site integrity check using a Magento security scanning tool (e.g., Magereport, Sansec eComscan) to detect web shells and injected payment skimmers

Detection Guidance

HTTP access logs (Apache/Nginx):

Look for requests carrying a CacheWarmer cookie with a base64-encoded payload value:

grep -i 'CacheWarmer' /var/log/nginx/access.log | grep -E 'CacheWarmer:(Tz|Qz|YT)'

The pattern CacheWarmer:(Tz|Qz|YT) at the start of the cookie value is a strong indicator. Legitimate cache warmer cookies will not contain serialised object prefixes.

Magento application logs (var/log/system.log, var/log/exception.log):

Watch for unserialize-related PHP exceptions, particularly errors from Monolog classes during request processing — these may indicate failed or partially successful deserialization attempts.

Web shell detection:

# Scan for recently modified PHP files (adjust path as needed)
find /var/www/magento -name "*.php" -mtime -7 -not -path "*/vendor/*" -not -path "*/.git/*"

# Scan for common web shell signatures
grep -rl "eval(base64_decode\|system(\$_\|passthru(\$_\|exec(\$_" /var/www/magento/pub/

WAF rule (if applicable):

Block cookie values matching: CacheWarmer\s*:\s*[A-Za-z0-9+/]{20,}

SIEM query (for log aggregation platforms):

sourcetype=access_combined OR sourcetype=nginx_access
| rex field=_raw "Cookie:.*CacheWarmer:(?P<cookie_val>[A-Za-z0-9+/=]{10,})"
| where isnotnull(cookie_val)
| stats count by src_ip, uri_path, cookie_val
| sort -count

Timeline

DateEvent
Prior to May 2026CVE-2026-45247 reported to Mirasvit
25 May 2026Mirasvit releases version 1.11.12 with fix for CVE-2026-45247
Late May 2026Public disclosure; Sansec and Imperva publish analysis
Late May 2026CISA adds CVE-2026-45247 to Known Exploited Vulnerabilities catalogue
Late May 2026Imperva observes active exploitation attempts carrying serialised PHP payloads
4 June 2026This analysis published

References

Tags

mirasvitmagentoadobe-commercephp-object-injectiondeserializationrcecisa-keve-commerceunauthenticated

Related Analysis

CVE-2022-0492 High

CVE-2022-0492: Linux Kernel cgroups v1 — Container Escape and Privilege Escalation

Linux

CVE-2025-48595 High

CVE-2025-48595: Android Framework — Integer Overflow Enabling Local Privilege Escalation

Android

CVE-2024-21182 High

CVE-2024-21182: Oracle WebLogic Server -- Unauthenticated Information Disclosure via T3/IIOP

Oracle