CVE-2026-45247

What is Mirasvit Full Page Cache Warmer?

Mirasvit Full Page Cache Warmer (mirasvit/module-cache-warmer) is a commercial Magento 2 and Adobe Commerce extension that proactively pre-warms the full-page cache by crawling store URLs before real visitors arrive. Rather than letting shoppers bear the cost of first page generation, the warmer issues background requests so pages are served from cache, improving storefront performance.

To support currency and customer session switching during warming, the extension reads a CacheWarmer cookie on every storefront request — not just crawler traffic. This design choice, applied to unauthenticated visitor requests, is the root of the vulnerability. Magento and Adobe Commerce stores are high-value targets because they process payment card data and customer PII. The extension ships bundled inside several other Mirasvit product packages, meaning merchants may be running it without having explicitly installed it.

Overview

CVE-2026-45247 is an unauthenticated remote code execution vulnerability caused by unsafe PHP deserialization of the CacheWarmer HTTP cookie. A single HTTP request with a crafted cookie value is sufficient to achieve full server compromise — no credentials, no admin session, and no user interaction required. CVSS 3.1 scores it 9.8 Critical.

Active exploitation was confirmed in the wild by Imperva following Sansec's public disclosure on May 26, 2026. CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 3, 2026, with a three-day remediation deadline — among the shortest deadlines issued, reflecting confirmed exploitation.

Affected Versions

The 1.11.12 changelog entry reads: "Fixed PHP Object Injection vulnerability in session cookie deserialization." A subsequent 1.11.13 release (May 27, 2026) addressed unrelated log warning issues with no additional security content.

Technical Details

On every storefront page load, a Mirasvit plugin intercepts the request and reads the CacheWarmer cookie value, passing it directly to PHP's native unserialize() function to restore currency and session state for the warming logic. The call provides no allowed_classes option, so PHP will instantiate any class available in the application's autoloader — the full Magento dependency tree.

This is a textbook CWE-502 (Deserialization of Untrusted Data) flaw. Because the code path fires on every request with no authentication gate, the attack surface is the entire public internet. No configuration toggle disables it.

Attack characteristics:

• Authentication required: None
• Complexity: Low — single HTTP GET or POST with a malicious cookie
• Gadget chains: Imperva observed exploitation using Monolog logging library classes present in Magento's dependency tree (Monolog\Handler\SyslogUdpHandler, BufferHandler, FingersCrossedHandler, GroupHandler) to reach system() and current() calls
• Detection indicator: CacheWarmer cookie values matching the regex CacheWarmer:(Tz|Qz|YT) — base64 prefixes corresponding to serialized PHP objects (O:, C:, a:)

Discovery

The vulnerability was discovered by the Sansec Forensics Team on April 24, 2026. Sansec notified Mirasvit on May 21, 2026, and coordinated a 4-day disclosure window leading to the May 25 patch. The public advisory was released on May 26, 2026, the same day the CVE was assigned. No working PoC exploit code has been published; Sansec and other reporters intentionally withheld it given active post-disclosure exploitation.

Exploitation Context

Active exploitation was confirmed by Imperva following the May 26 public disclosure. Observed payloads were consistent with opportunistic exploitation: test commands such as echo PWNED_CVE2026_$(date +%s) and sleep 5 (blind RCE fingerprinting), followed by post-exploitation activity in confirmed compromises.

Sansec's scanning infrastructure identified approximately 6,000 Magento stores running Mirasvit extensions, with the true exposed population likely higher due to CDN masking — Cloudflare and similar services hide many installs from external fingerprinting. No specific Shodan count was published. Targeted verticals included e-commerce and gaming operators in the US, UK, France, and Australia.

No ransomware group or named threat actor has been attributed to the exploitation campaign. CISA's 3-day remediation deadline (June 3 to June 6) is consistent with treating this as a high-urgency actively exploited vulnerability.

Remediation

1. Update immediately: Upgrade mirasvit/module-cache-warmer to version 1.11.12 or later via Composer: composer update mirasvit/module-cache-warmer
2. Verify the installed version: Run composer show mirasvit/module-cache-warmer | grep versions and confirm the output is 1.11.12+
3. WAF mitigation: Deploy a WAF rule blocking CacheWarmer cookie values matching base64-encoded serialized PHP object patterns (Tz, Qz, YT prefixes) as an interim control if patching is delayed
4. Incident review: Inspect web server access logs for requests containing CacheWarmer cookies with base64-encoded values; cross-reference against Imperva's Monolog gadget chain signatures
5. Check bundled installs: Audit all installed Mirasvit packages — the Cache Warmer module may be present as a dependency of another Mirasvit product even if not explicitly required
6. Network isolation: If patching cannot be applied immediately, consider blocking external access to the storefront or requiring authenticated sessions as a stopgap; weigh this against business impact