A significant security vulnerability has been identified in a widely used Magento extension, posing a serious risk to numerous online stores. This vulnerability, designated CVE-2026-45247, has been rated a concerning 9.8 on the Common Vulnerability Scoring System (CVSS) scale, indicating its potential severity. It allows attackers the ability to perform remote code execution (RCE) on affected servers, and alarmingly, this can be achieved without any form of authentication.
The root cause of this vulnerability has been traced back to the improper handling of user-controlled input within the caching mechanism of the plugin. Specifically, when a storefront request includes a specially crafted CacheWarmer cookie, the application processes this input and forwards it directly to PHP’s native unserialize() function. Since the plugin does not impose restrictions on which classes can be instantiated during the deserialization process, it leaves the door open for attackers to inject malicious serialized objects into the system.
Security researchers from Sansec have classified this issue as an unauthenticated PHP object injection vulnerability, particularly within the Mirasvit Cache Warmer plugin, known for its full-page caching capabilities for Magento and Adobe Commerce. This vulnerability falls under the common weakness enumeration (CWE-502) category and can be leveraged to escalate to full remote code execution due to the presence of existing gadget chains within Magento and its dependent libraries.
The Mirasvit Cache Warmer plugin serves a vital function by pre-generating cached pages tailored for various user contexts, such as currency settings or customer groups. To simulate these varied user experiences, the plugin encodes session state data into a cookie sent along with each request. On the server side, the plugin processes this cookie and reconstructs the session using the unserialize() function. However, this deserialization process occurs for every storefront request, not limited solely to internal cache warming activities. As a result, cookies originating from clients, which are not adequately validated or restricted, can be exploited by attackers to deliver harmful payloads that influence object instantiation during deserialization.
The vulnerability affects all versions of the Mirasvit Cache Warmer plugin prior to version 1.11.12. The risks associated with this vulnerability are exacerbated by its tendency to be bundled with other Mirasvit software packages. Consequently, many store owners may remain unaware that the extension is installed on their systems. Sansec estimates that at least 6,000 Magento stores are operating with vulnerable Mirasvit components; however, the actual number may be significantly higher, potentially masked by Content Delivery Network (CDN) configurations.
Since the discovery of this vulnerability, Sansec had already started protecting customers using its Shield service as early as April 24, 2026. The vulnerability was formally reported to Mirasvit on May 21, and a patched version was released just four days later, underscoring the company’s rapid response to this critical issue.
Security teams must remain vigilant, as exploitation attempts manifest distinctly in HTTP requests. They should monitor incoming requests for CacheWarmer cookies containing anomalous serialized data patterns. Specific indicators to look out for include cookie values that commence with “CacheWarmer:” followed by Base64-encoded strings that typically start with prefixes such as Tz, Qz, or YT, which are commonly associated with serialized PHP objects.
To mitigate risks arising from this vulnerability, Mirasvit has strongly recommended that all users upgrade to version 1.11.12 or a later iteration without delay. In scenarios where prompt patching is infeasible, deploying a Web Application Firewall (WAF) such as Sansec Shield can be an effective defense against exploitation attempts in real time. Furthermore, administrators are encouraged to conduct thorough compromise assessments utilizing tools like eComscan to uncover potential web shells or backdoors.
A meticulous examination of publicly accessible directories, especially within the pub/ folder, is advisable to identify unauthorized PHP files that might signal a successful attack. Given the straightforward nature of this exploit and the absence of authentication requirements, attackers could automate their efforts to execute these attacks on a large scale.
As public disclosure of the vulnerability is now complete, experts in the security field are ringing alarm bells regarding the imminent increase in exploitation activities. Organizations operating on Magento or Adobe Commerce platforms are advised to treat this vulnerability as a matter of urgency to safeguard against possible breaches and data compromise. The evolving threat landscape necessitates that store owners take proactive measures to secure their online environments.