Critical Remote Code Execution Vulnerability in Magento’s Mirasvit Cache Warmer Extension Exploited
A critical security vulnerability, identified as CVE-2026-45247, has been discovered in the Mirasvit Full Page Cache Warmer extension for Magento and Adobe Commerce platforms. This flaw, rated with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary PHP code on affected servers, posing a significant threat to e-commerce websites worldwide.
Understanding the Vulnerability
The vulnerability arises from the extension’s handling of serialized PHP objects within the `CacheWarmer` cookie. Specifically, the extension deserializes data from this cookie without proper validation, enabling attackers to inject malicious payloads. When processed, these payloads can lead to remote code execution, granting attackers full control over the compromised server. Notably, this exploitation does not require authentication, making it particularly dangerous for publicly accessible Magento stores.
Mechanism of the Attack
Mirasvit’s Cache Warmer extension is designed to pre-load Magento’s full-page cache, enhancing website performance by simulating various user states, such as different currencies or customer groups. To achieve this, the extension embeds session state information into the `CacheWarmer` cookie, which is then sent with each crawl request. On the server side, the extension reads this cookie and adjusts the session accordingly before rendering the page.
The critical flaw lies in the extension’s use of PHP’s native `unserialize()` function to process the cookie’s content without restricting the types of objects that can be instantiated. This oversight allows attackers to craft malicious serialized objects that, when deserialized by the server, can trigger a chain of events leading to remote code execution. Given that this process occurs on every storefront request, the attack vector is both broad and easily exploitable.
Scope of Impact
All versions of the Mirasvit Full Page Cache Warmer extension prior to 1.11.12 are vulnerable to this exploit. Security researchers have identified approximately 6,000 online stores running Mirasvit extensions, though the actual number may be higher due to factors like content delivery networks (CDNs) obscuring detection. The widespread use of this extension amplifies the potential impact of the vulnerability, making it imperative for affected organizations to take immediate action.
Official Response and Mitigation
Mirasvit addressed this critical issue by releasing version 1.11.12 of the Cache Warmer extension on May 25, 2026. This update includes patches that rectify the insecure deserialization process, effectively mitigating the vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, following reports of active exploitation. CISA has mandated that federal agencies remediate this vulnerability by June 6, 2026, under Binding Operational Directive (BOD) 22-01.
Recommendations for Affected Organizations
Organizations utilizing the Mirasvit Full Page Cache Warmer extension should take the following steps to secure their systems:
1. Immediate Update: Upgrade to version 1.11.12 or later of the Mirasvit Cache Warmer extension to apply the necessary security patches.
2. Disable or Remove Vulnerable Components: If updating is not feasible, consider disabling or removing the affected extension to eliminate the risk.
3. Implement Web Application Firewalls (WAFs): Deploy WAF rules to inspect and block malicious serialized input, providing an additional layer of defense against exploitation attempts.
4. Monitor Application Logs: Regularly review logs for anomalies, such as unexpected web server processes, unauthorized file creation within Magento directories, or outbound connections to unknown IP addresses, which may indicate compromise.
5. Restrict Access to Sensitive Endpoints: Limit access to critical parts of the application to trusted users and systems, reducing the attack surface.
Broader Implications
This incident underscores the persistent risks associated with insecure deserialization vulnerabilities in web applications. Attackers are increasingly automating the exploitation of newly disclosed flaws, emphasizing the need for timely patching and proactive monitoring. Magento administrators should regularly review third-party extensions to ensure they adhere to secure coding practices and do not introduce vulnerabilities into otherwise secure systems.
By staying vigilant and implementing robust security measures, organizations can protect their e-commerce platforms from such critical threats and maintain the trust of their customers.
