Mirasvit Full Page Cache Warmer Remote Code Execution (CVE-2026-45247): Actively Exploited Magento Deserialization, Added to CISA KEV

nick

Mirasvit Full Page Cache Warmer Remote Code Execution (CVE-2026-45247): Actively Exploited Magento Deserialization, Added to CISA KEV

by

A critical PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 / Adobe Commerce, tracked as CVE-2026-45247, allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. The vulnerability carries a CVSS score of 9.8, has been added to the CISA Known Exploited Vulnerabilities catalog with a federal agency remediation deadline of June 6, 2026, and is actively being exploited against Magento web shops.

What Is the Vulnerability?

CVE-2026-45247 is a PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer — a Magento 2 / Adobe Commerce extension used to pre-warm page caches for improved storefront performance. The vulnerability exists because the extension calls PHP’s native unserialize() function on user-supplied data from the CacheWarmer cookie without any validation or restrictions. An unauthenticated attacker can craft a serialized PHP object containing a gadget chain — a sequence of PHP objects from Magento’s codebase and its dependencies that, when deserialized, trigger arbitrary code execution.

PHP deserialization vulnerabilities are among the most dangerous web application vulnerability classes because: (1) they typically require no authentication — the payload is delivered in a cookie or POST parameter, (2) they can achieve remote code execution directly, and (3) Magento/Adobe Commerce codebases contain rich sets of classes that can be chained into effective deserialization gadgets. An attacker who successfully exploits this vulnerability gains the ability to execute arbitrary PHP code on the Magento server, leading to full site compromise — access to the Magento database including customer PII, payment information (if stored), order history, admin credentials, and the ability to modify the storefront, inject JavaScript skimmers, or redirect payments.

The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data):

  • CVSS v3.1 Score: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • CISA KEV: Added June 3, 2026 — federal agency deadline June 6, 2026

Which Versions Are Affected?

The vulnerability affects the Mirasvit Full Page Cache Warmer extension for Magento 2:

  • Mirasvit Full Page Cache Warmer (module-cache-warmer): all versions prior to 1.11.12

The fix was released in version 1.11.12. The extension is deployed on Magento 2 / Adobe Commerce platforms globally — Magento powers a significant portion of the world’s e-commerce storefronts, from small businesses to enterprise retailers.

Is It Being Exploited in the Wild?

Yes — confirmed active exploitation. Dutch security media reports that Magento web shops are currently under active attack via this vulnerability. The CISA KEV addition on June 3 confirms federal awareness of active exploitation. The vulnerability is trivially exploitable: an unauthenticated attacker sends an HTTP request with a crafted CacheWarmer cookie containing a serialized PHP object, and the server deserializes it without validation. No credentials, no user interaction, and no complex exploitation chain are required — a single HTTP request can achieve remote code execution. With Magento’s prominence in e-commerce and the high value of the data processed by these platforms (customer PII, payment information, order data), this vulnerability is a prime target for financially motivated attackers.

What Is the Fix?

Mirasvit has released version 1.11.12 of the Full Page Cache Warmer extension to address CVE-2026-45247. The official changelog is available at:

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

Magento administrators should update the extension immediately via Composer:

  • Run composer require mirasvit/module-cache-warmer:^1.11.12
  • Run bin/magento setup:upgrade
  • Clear the Magento cache: bin/magento cache:clean
  • If the extension cannot be updated immediately, disable it entirely: bin/magento module:disable Mirasvit_CacheWarmer

Recommendations

Update the Mirasvit Full Page Cache Warmer extension to 1.11.12 immediately. This is an actively exploited, unauthenticated remote code execution vulnerability with a CISA KEV deadline of June 6 — two days from now. Every Magento store running this extension must be patched today. If you cannot patch, disable the extension — an inactive extension cannot be exploited.

Audit your Magento store for signs of compromise. After patching, review the following: (1) Magento admin user list for unrecognised administrator accounts; (2) server access logs for requests containing unusually large or malformed CacheWarmer cookie values — these may indicate exploitation attempts; (3) Magento configuration for unexpected changes to payment methods, shipping settings, or store URLs; (4) the Magento database for injected JavaScript in CMS blocks, pages, or product descriptions — a common post-exploitation technique for credit card skimming (Magecart-style attacks); (5) recently modified files in the Magento codebase, particularly PHP files in writable directories.

Rotate all credentials after patching. If your store was running a vulnerable version for any period after the vulnerability became known, treat it as potentially compromised. Rotate: (1) all Magento admin user passwords, (2) database credentials, (3) Magento encryption key, (4) API keys and integration tokens, (5) payment gateway API credentials. The Magento encryption key rotation requires re-encoding stored encrypted values — follow Adobe’s documented procedure.

Review all installed Magento extensions. Use this vulnerability as an opportunity to audit all third-party extensions installed on your Magento store. Remove any extensions that are not actively used. For extensions that are needed, verify they are on current, vendor-supported versions. Third-party Magento extensions are a frequent source of vulnerabilities and should be tracked with the same rigour as core platform updates.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 4, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!