Critical Vulnerability in Magento Cache Plugin Enables Remote Code Execution
A severe security flaw has been identified in the Mirasvit Cache Warmer, a widely utilized caching extension for Magento and Adobe Commerce platforms. This vulnerability, designated as CVE-2026-45247, allows unauthenticated attackers to execute arbitrary code remotely, posing a significant threat to thousands of online stores.
Understanding the Vulnerability
The Mirasvit Cache Warmer is designed to enhance website performance by preloading cached versions of store pages tailored to various visitor profiles, such as different currencies and customer groups. To achieve this, the extension encodes session details into a cookie, which is then sent with each crawl request. On the server side, the plugin reads this cookie and adjusts the session accordingly before rendering the page.
The critical issue arises from the plugin’s handling of these cookies. Specifically, it passes a portion of the cookie’s value directly to PHP’s native `unserialize()` function without implementing class restrictions or authentication checks. This oversight allows attackers to craft malicious cookies that inject arbitrary PHP objects, a technique known as PHP Object Injection (CWE-502).
When combined with a gadget chain—a series of classes already present within Magento and its dependencies—this object injection can escalate into Remote Code Execution (RCE). Notably, this attack vector affects every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target.
Scope of the Threat
All versions of Mirasvit Cache Warmer prior to 1.11.12 are vulnerable. The extension is also bundled within several other Mirasvit packages, meaning many merchants may be running it unknowingly. Security firm Sansec’s scans identified approximately 6,000 stores operating Mirasvit extensions, though the actual number is likely higher due to the masking effects of Content Delivery Networks (CDNs) like Cloudflare.
Indicators of Compromise
The exploit leaves a recognizable pattern in web logs. Security teams should monitor for storefront requests containing a `CacheWarmer` cookie with a value beginning with `CacheWarmer:` followed by a base64-encoded string. Serialized PHP objects typically encode to strings starting with `Tz`, `Qz`, or `YT`, making the pattern `CacheWarmer:(Tz|Qz|YT)` a strong indicator of an exploitation attempt.
Mitigation Measures
Mirasvit promptly addressed the vulnerability by releasing version 1.11.12 on May 25, 2026. Store owners are urged to take the following actions immediately:
– Update the Plugin: Upgrade Mirasvit Cache Warmer to version 1.11.12 or later to patch the vulnerability.
– Implement Security Measures: Deploy a web application firewall capable of blocking serialization-based exploit attempts to prevent unauthorized access.
– Conduct Security Audits: Scan for webshells, backdoors, or unexpected PHP files in the `pub/` directory and other web-accessible locations to identify potential compromises.
– Review Installed Packages: Verify whether Cache Warmer is bundled within other Mirasvit modules on your store to ensure all instances are updated.
Sansec’s Shield customers have been protected from this vulnerability since April 24, 2026, the same day the flaw was discovered. The CVE was formally assigned on May 26, 2026.
Conclusion
Given that exploitation requires no authentication and can be fully automated, unpatched stores are at serious risk of full server compromise. Immediate action is essential to safeguard your e-commerce platform and protect customer data.
Twitter Post:
🚨 Critical vulnerability in Magento’s Mirasvit Cache Warmer plugin allows remote code execution. Update to version 1.11.12 immediately to secure your store. #Magento #CyberSecurity #EcommerceSecurity
Focus Key Phrase:
Magento Cache Plugin Vulnerability
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
