CISA Warns Magento Stores After Critical Mirasvit Cache Warmer RCE Flaw Is Exploited

CISA has warned federal agencies and Magento administrators to urgently patch a critical remote code execution flaw in the Mirasvit Full Page Cache Warmer extension after confirmed exploitation in attacks. The vulnerability, tracked as CVE-2026-45247, affects Mirasvit Full Page Cache Warmer for Magento 2 versions before 1.11.12.

The flaw allows an unauthenticated attacker to execute code on a vulnerable Magento or Adobe Commerce server by sending a crafted serialized PHP object through the CacheWarmer cookie. CISA added the issue to its Known Exploited Vulnerabilities catalog on June 3, 2026, after reports of active exploitation.

The risk is serious because the bug can be triggered through normal storefront traffic. Attackers do not need a Magento admin account, a customer session, or access to the backend. A single malicious cookie can reach unsafe deserialization logic and, with a usable gadget chain, lead to remote code execution.

What makes CVE-2026-45247 dangerous

Sansec researchers disclosed the vulnerability on May 26 and described it as an unauthenticated PHP object injection flaw. The Cache Warmer extension uses cookies to help generate page variants for different storefront states, but vulnerable versions passed attacker-controlled data into PHP’s native unserialize() function.

That behavior creates a deserialization of untrusted data issue, also listed as CWE-502. The NVD entry says attackers can exploit the unrestricted unserialize() call with gadget chains already present in Magento and its dependencies to execute arbitrary code on the server.

Mirasvit fixed the issue in version 1.11.12, released on May 25, 2026. The Mirasvit changelog describes the fix as a patch for a PHP object injection vulnerability in session cookie deserialization.

Issue	Details
CVE	CVE-2026-45247
Affected product	Mirasvit Full Page Cache Warmer for Magento 2
Affected versions	Versions before 1.11.12
Severity	Critical, CVSS 9.8
Attack type	Unauthenticated remote code execution through PHP object injection
Exploitation status	Actively exploited in attacks
Federal agency deadline	June 6, 2026

How attackers can exploit the flaw

The vulnerable extension reads the CacheWarmer cookie on storefront requests. In affected versions, an attacker can send a specially crafted cookie containing a serialized PHP object. The server then processes that data without safely limiting which classes can be reconstructed.

Imperva reported active exploitation attempts involving serialized PHP object payloads designed to trigger remote code execution through PHP object injection gadget chains. Some observed payloads attempted to run system-level commands to confirm code execution.

This type of access can give an attacker a foothold on an eCommerce server. From there, a compromised store could face web shell deployment, payment skimming, customer data theft, credential theft, or deeper movement into connected business systems.

Why Magento store owners should act quickly

CISA’s warning applies directly to U.S. federal civilian agencies, but private companies should treat the catalog entry as an emergency signal. The agency uses the KEV catalog for vulnerabilities that attackers have already exploited, not just theoretical risks.

The CISA alert gives federal agencies until June 6, 2026 to apply mitigations. That short deadline reflects the risk of an unauthenticated RCE flaw in an internet-facing eCommerce component.

Magento and Adobe Commerce sites often run several third-party extensions, which can expand the attack surface beyond the core platform. A performance module can become a critical security risk if it handles user-controlled input in an unsafe way.

• Update Mirasvit Full Page Cache Warmer to version 1.11.12 or later immediately.
• Check whether the module came bundled with another Mirasvit package.
• Disable or remove the extension if patching cannot happen right away.
• Search web logs for unusual CacheWarmer cookie values.
• Review the server for new files, web shells, unauthorized admin users, and unexpected cron jobs.
• Rotate secrets if evidence suggests server compromise.

What admins should look for in logs

Security teams should review storefront request logs for CacheWarmer cookies containing suspicious encoded serialized data. Sansec’s advisory notes that serialized PHP objects often base64-encode to values starting with markers such as Tz, Qz, or YT after the CacheWarmer prefix.

Teams should also look beyond the initial request. Successful exploitation can leave traces such as newly created PHP files, modified Magento directories, unknown outbound connections, unexpected process execution by the web server user, or changes to scheduled tasks.

The Imperva analysis said exploitation attempts were observed after disclosure, which means defenders should not assume the risk starts only after CISA’s catalog update. Public disclosure and active scanning often shrink the safe patching window for internet-facing commerce systems.

Mirasvit patch and next steps

The safest fix is to update to a patched version. The Mirasvit release notes list version 1.11.12 as the update that fixed the PHP object injection vulnerability in session cookie deserialization. Mirasvit also listed version 1.11.13 on May 27 for a related warning log cleanup.

Organizations should confirm the installed package version through Composer, Magento module status, and the admin panel if available. They should also check staging, development, and older production mirrors, since attackers often scan forgotten storefronts and test environments.

After patching, administrators should perform a short incident review. A vulnerable server that received suspicious CacheWarmer requests may need deeper forensic checks, especially if the site handles customer accounts, payment flows, marketplace integrations, or backend API credentials.

FAQ