A critical security vulnerability in a widely used Magento extension is exposing thousands of online stores to remote code execution (RCE) attacks.
The vulnerability, tracked as CVE-2026-45247 and rated 9.8 on the CVSS scale, allows attackers to execute arbitrary code on affected servers without authentication.
The vulnerability stems from improper handling of user-controlled input within the plugin’s caching mechanism. Specifically, any storefront request containing a specially crafted CacheWarmer cookie is processed by the application and passed directly into PHP’s native unserialize() function.
Because the plugin does not restrict which classes can be instantiated during deserialization, attackers can inject malicious serialized objects.
Security researchers at Sansec have identified an unauthenticated PHP object injection vulnerability in the Mirasvit Cache Warmer plugin, a full-page cache extension for Magento and Adobe Commerce.
This behavior enables PHP object injection, classified under CWE-502, which can be escalated into full remote code execution when combined with existing gadget chains in Magento or its dependencies.
Magento Cache Plugin Vulnerability
The Mirasvit Cache Warmer plugin is designed to pre-generate cached pages for different user contexts such as currency or customer group.
To simulate these variations, it encodes session state data into a cookie and sends it with each request. On the server side, the plugin reads this cookie and reconstructs the session using unserialize().
However, this process occurs on every storefront request, not just internal cache warming operations. Since the cookie value originates from the client and is not validated or restricted, attackers can craft malicious payloads that manipulate object instantiation during deserialization.
All versions of Mirasvit Cache Warmer prior to 1.11.12 are vulnerable. The risk is amplified by the fact that the extension is often bundled with other Mirasvit packages, meaning many store owners may be unaware it is installed.
Sansec estimates that at least 6,000 Magento stores are running vulnerable Mirasvit components, though the actual number could be significantly higher due to CDN masking.
Sansec customers using its Shield protection were safeguarded as early as April 24, 2026, the same day the vulnerability was discovered. Mirasvit was notified on May 21 and released a patched version, 1.11.12, on May 25, demonstrating a rapid response.
Exploitation attempts leave a recognizable footprint in HTTP requests. Security teams should monitor for incoming requests containing a CacheWarmer cookie with suspicious serialized data patterns.
Indicators include cookie values beginning with “CacheWarmer:” followed by base64-encoded strings that typically start with Tz, Qz, or YT, which are common prefixes for serialized PHP objects.
Mitigations
Mirasvit strongly urges all users to upgrade to version 1.11.12 or later immediately. For environments where immediate patching is not feasible, deploying a web application firewall such as Sansec Shield can help block exploitation attempts in real time.
Additionally, administrators should perform compromise assessments using tools like eComscan to detect potential webshells or backdoors.
A thorough review of web-accessible directories, especially the pub/ folder, is also recommended to identify unauthorized PHP files that may indicate a successful attack.
Given the ease of exploitation and lack of authentication requirements, attackers can automate these attacks at scale.
With public disclosure now complete and patch details available, security experts warn that exploitation activity is likely to increase rapidly.
Organizations running Magento or Adobe Commerce should treat this vulnerability as an urgent priority to prevent potential breaches and data compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
