U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
June 04, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Mirasvit Full Page Cache Warmer flaw, tracked as CVE-2026-45247 (CVSS ver 4.0 score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

The CVE-2026-45247 flaw is a critical PHP object injection vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. The issue allows unauthenticated attackers to send a specially crafted serialized PHP object through the CacheWarmer cookie, which is processed by an unsafe call to PHP’s unserialize() function.

By leveraging gadget chains present in Magento and its dependencies, attackers can achieve remote code execution, potentially gaining full control of the affected server.

“Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie,” CISA reports.

Sansec researchers found the flaw in Mirasvit Cache Warmer, which is a popular Magento full-page cache extension. The experts pointed out that a single crafted cookie on any storefront page can lead to remote code execution.

“Sansec discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted CacheWarmer cookie reaches PHP’s native unserialize() on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this leads to remote code execution.” states Sansec.

The vulnerable component processes a client-controlled CacheWarmer cookie using PHP’s unsafe unserialize() function, allowing attackers to inject malicious objects and exploit gadget chains already present in Magento and its dependencies. The plugin runs on every storefront request, expanding the attack surface. Researchers estimate that thousands of Magento stores may be affected. Sansec warns that exploitation attempts can be identified by suspicious CacheWarmer cookie values containing base64-encoded serialized PHP objects.

“The attack leaves a clear request signature. Look for storefront requests that carry a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string. Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.” concludes Sansec.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by June 6, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)