Critical RCE Vulnerability Discovered in Mirasvit Cache Warmer for Magento
A high-severity security flaw has been identified in a widely utilized Magento extension, leaving thousands of e-commerce platforms exposed to unauthenticated Remote Code Execution (RCE). The vulnerability, tracked as CVE-2026-45247, carries a critical CVSS score of 9.8, reflecting the ease with which an attacker can gain full control over an affected server.
The core of the issue lies in how the plugin manages user-supplied input within its caching logic. Specifically, the application processes a specialized CacheWarmer cookie sent via storefront requests. This cookie data is passed directly into PHP’s native unserialize() function without sufficient validation or sanitization.
Because the plugin fails to implement a strict allow-list of classes that can be instantiated during the deserialization process, it falls victim to PHP Object Injection (categorized under CWE-502). When an attacker injects a malicious serialized object, they can leverage existing “gadget chains” within the Magento framework or its loaded dependencies to escalate the injection into full RCE.
Technical Breakdown: The Mechanics of the Flaw
The Mirasvit Cache Warmer extension is designed to optimize performance by pre-generating cached pages for various user contexts, such as specific currency settings or customer groups. To simulate these variations, the plugin encodes the necessary session state into a cookie. When a request hits the server, the plugin reads this cookie and reconstructs the session state using unserialize().
The technical oversight is that this reconstruction process is triggered on every single storefront request, rather than being restricted to internal, trusted cache-warming operations. Since the CacheWarmer cookie is client-controlled, an attacker can bypass all authentication barriers by providing a crafted payload. This allows them to manipulate the application’s logic at the moment of object instantiation.
All versions of Mirasvit Cache Warmer prior to 1.11.12 are confirmed to be vulnerable. The risk is compounded by the fact that this extension is frequently bundled within larger Mirasvit product suites, meaning many merchants may not even realize the vulnerable code is active on their systems.
According to research conducted by Sansec, at least 6,000 Magento stores are currently running vulnerable components. However, the true scale of the exposure may be much higher, as many attackers use CDNs to mask the origin of their malicious requests.
Detection and Indicators of Compromise (IoC)
While the attack is devastating, it leaves a distinct footprint in HTTP traffic. Security operations teams should proactively monitor web server logs for suspicious CacheWarmer cookie values.
Attackers typically use base64-encoded strings within the cookie. Look for patterns where the cookie begins with CacheWarmer: followed by encoded data that starts with common PHP serialization prefixes such as Tz, Qz, or YT. These prefixes are tell-tale signs of serialized objects being passed through the header.
Remediation and Mitigation Strategies
The primary recommendation is immediate: Upgrade the Mirasvit Cache Warmer extension to version 1.11.12 or later.
For organizations unable to patch immediately, the following defensive layers are recommended:
- WAF Deployment: Utilize a Web Application Firewall (such as Sansec Shield) capable of inspecting cookie payloads and blocking known PHP object injection patterns in real-time.
- Compromise Assessment: If you suspect an attempted or successful breach, use specialized tools like eComscan to scan for webshells, backdoors, or unauthorized file modifications.
- Directory Auditing: Conduct a manual and automated review of web-accessible directories—specifically the
/pub/folder—to identify any rogue.phpfiles that do not belong to the standard Magento installation.
Given that this vulnerability requires no authentication and can be easily automated via scripts, the window for exploitation is widening. Magento and Adobe Commerce administrators should treat this as an urgent priority to safeguard customer data and server integrity.