Critical Magento Cache Warmer Vulnerability Now Listed as Exploited by CISA

A critical vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 can let unauthenticated attackers execute code on vulnerable e-commerce servers through a crafted cookie. The flaw affects versions before 1.11.12 and requires urgent patching.

The vulnerability, tracked as CVE-2026-45247, involves unsafe PHP deserialization in the CacheWarmer cookie. NVD lists the flaw with a CVSS 3.1 score of 9.8, while the CVSS 4.0 score is 9.3.

Security firm Sansec disclosed the issue on May 26, 2026, after finding that a single crafted storefront request could reach PHP’s native unserialize() function without authentication, admin access, or a special configuration change.

What the Magento Cache Warmer flaw allows

Mirasvit Full Page Cache Warmer helps Magento and Adobe Commerce stores prebuild cached pages for different visitor states, including currency, customer group, and session conditions. To do that, it uses a CacheWarmer cookie that stores session-related data for cache warming requests.

The problem comes from how vulnerable versions handle that cookie. The extension deserializes client-controlled data without restricting which PHP classes can be instantiated. That weakness matches CWE-502, which covers deserialization of untrusted data.

When attackers combine this PHP object injection issue with existing gadget chains in Magento or its dependencies, they can move from a crafted cookie to remote code execution. This can allow arbitrary commands to run on the underlying server.

Who is affected

Product	Affected versions	Fixed version	Main risk
Mirasvit Full Page Cache Warmer for Magento 2	Before 1.11.12	1.11.12 or later	Remote code execution through a crafted CacheWarmer cookie
Magento or Adobe Commerce stores with bundled Mirasvit modules	Depends on installed package version	Update affected Mirasvit packages	Hidden exposure if Cache Warmer ships inside another module

The official Mirasvit changelog says version 1.11.12, released on May 25, 2026, fixed a PHP Object Injection vulnerability in session cookie deserialization. Version 1.11.13 followed on May 27 with a separate warning-log fix.

Sansec said all Mirasvit Cache Warmer versions before 1.11.12 are vulnerable. It also warned that some merchants may use the extension without realizing it because Cache Warmer ships inside several Mirasvit packages.

Sansec scans found roughly 6,000 stores running Mirasvit extensions, although the real number may be higher because CDNs such as Cloudflare can hide store fingerprints. That makes package inventory important for any Magento or Adobe Commerce operator using Mirasvit software.

CISA has added the flaw to its exploited vulnerabilities catalog

CISA has now listed CVE-2026-45247 in its Known Exploited Vulnerabilities catalog. The entry identifies the issue as a deserialization of untrusted data vulnerability in Mirasvit Full Page Cache Warmer.

The CISA entry gives U.S. federal civilian agencies a June 6, 2026 remediation deadline under the KEV process. Even though that deadline directly applies to federal agencies, private companies often use the KEV catalog to prioritize patching because it highlights vulnerabilities seen in real-world attacks.

Imperva also reported active exploitation attempts after public disclosure. Researchers observed HTTP requests carrying serialized PHP object payloads, including payloads designed to trigger gadget chains and validate command execution on vulnerable systems.

How attackers exploit the issue

The exploit path starts with an HTTP request to a public storefront. The request includes a CacheWarmer cookie containing attacker-controlled serialized data. Because the vulnerable extension runs on ordinary storefront requests, exploitation does not depend on internal cache-warming traffic.

In vulnerable versions, that cookie data reaches unserialize() without safe class restrictions. Attackers can then use classes already present in Magento and its dependencies to build a gadget chain. This is why a deserialization bug can become full remote code execution instead of only a parsing issue.

The NVD record describes the issue as an unauthenticated RCE vulnerability caused by a crafted serialized PHP object in the CacheWarmer cookie. It also lists affected software as Mirasvit Full Page Cache Warmer versions up to, but not including, 1.11.12.

Indicators administrators should check

• Look for storefront requests containing a CacheWarmer cookie.
• Check for cookie values that include the marker CacheWarmer: followed by a base64 string.
• Watch for serialized PHP object patterns that base64-encode to strings beginning with Tz, Qz, or YT.
• Review logs for suspicious command tests, delayed responses, or unusual requests shortly after public disclosure.
• Inspect pub/ and other web-accessible folders for unexpected PHP files, webshells, or modified scripts.

The strongest public detection clue comes from Sansec’s advisory, which points to the CacheWarmer:(Tz|Qz|YT) pattern as a strong signal of exploitation attempts. This pattern should not replace a full investigation, but it gives incident response teams a useful starting point.

Administrators should also check installed packages, not only the extension name shown in the Magento admin panel. A store may contain the vulnerable component through another Mirasvit module, so Composer package review and version checks matter.

What Magento store owners should do now

Action	Why it matters
Update to 1.11.12 or later	This removes the vulnerable session cookie deserialization behavior.
Audit Mirasvit packages	Cache Warmer may be bundled with other Mirasvit extensions.
Review web logs	Attack attempts may appear as crafted CacheWarmer cookie requests.
Scan for compromise	Successful exploitation can lead to webshells, backdoors, or changed PHP files.
Add WAF rules	Blocking serialized payloads can reduce exposure while teams complete patching.

The Mirasvit release notes confirm that version 1.11.12 fixed the PHP Object Injection vulnerability. Store owners should move beyond version checks and also confirm that the patched package has reached production, staging, and backup environments.

Security teams should treat this as a compromise-assessment issue, not only a patch-management task. Because the vulnerability needs no login and runs through public storefront traffic, attackers can automate scans across many Magento and Adobe Commerce stores.

Organizations that follow federal risk signals should also note the CISA KEV listing. Its addition means defenders should prioritize the issue above routine extension maintenance.

Why deserialization flaws are dangerous in e-commerce

Deserialization vulnerabilities become especially risky when attackers can control the input and the application has useful classes already loaded. In large PHP applications such as Magento, dependency chains can provide the building blocks attackers need to turn object injection into code execution.

That is why deserialization of untrusted data has a long history of severe impact across web applications, middleware, and enterprise platforms. The weakness can appear simple in code review, but the real-world result can include server takeover.

Magento and Adobe Commerce stores should patch immediately, search logs for signs of exploitation, and verify that no attacker left behind persistence. For stores that process payments or customer data, delayed response can raise both operational and compliance risk.

FAQ