Critical PHP Object Injection in Mirasvit Full Page Cache Warmer for Magento (CVE‑2026‑45247) Enables Remote Code Execution
What It Is – A critical PHP object‑injection (CVE‑2026‑45247) in the Mirasvit Full Page Cache Warmer extension for Magento 2 (versions < 1.11.12). The flaw lets unauthenticated attackers send a crafted serialized PHP object via the CacheWarmer cookie, which is unserialized without validation, leading to remote code execution (RCE).
Exploitability – Actively exploited in the wild; the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it in its Known Exploited Vulnerabilities (KEV) catalog. CVSS v4.0 = 9.3 (Critical). Public PoC and detection signatures are available.
Affected Products – Mirasvit Full Page Cache Warmer extension for Magento 2 (and Adobe Commerce) prior to version 1.11.12. Any Magento storefront that installs the extension is vulnerable.
TPRM Impact –
- Thousands of third‑party e‑commerce sites may host the vulnerable extension, exposing their supply‑chain partners to ransomware, data theft, or service disruption.
- Compromise of a single Magento store can provide attackers foothold to pivot into connected payment gateways, ERP systems, or customer data repositories.
Recommended Actions –
- Patch immediately – Upgrade to Mirasvit Full Page Cache Warmer ≥ 1.11.12 or remove the extension.
- Block/monitor – Deploy WAF rules to detect
CacheWarmercookies containing base64‑encoded serialized PHP objects (e.g., values starting withTz). - Inventory – Conduct a rapid inventory of all Magento 2 installations across your vendor ecosystem; verify extension versions.
- Segmentation – Isolate Magento web servers from critical internal networks and enforce least‑privilege access.
- Incident response – Review logs for anomalous
CacheWarmercookie values; if RCE is suspected, initiate containment and forensic analysis.
Source: SecurityAffairs – CISA adds Mirasvit Full Page Cache Warmer flaw to KEV catalog