Executive Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-45247) has been disclosed in the Mirasvit Full Page Cache Warmer extension for Magento 2. The flaw allows any unauthenticated attacker to supply a crafted serialized PHP object via the CacheWarmer cookie, triggering PHP object deserialization and enabling arbitrary code execution on the underlying server.
CVSS Score: 9.8 (Critical)
This vulnerability requires no authentication. Any user who can send an HTTP request to a Magento 2 store running the affected extension can trigger exploitation. Magento 2 deployments with this extension installed are at immediate and severe risk.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-45247 |
| CVSS Score | 9.8 (Critical) |
| Type | PHP Object Injection → Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | None (Unauthenticated) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Root Cause | Unsafe PHP deserialization of attacker-controlled cookie value |
| Affected Versions | Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 |
| Patch Available | Yes — update to version 1.11.12 or later |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Mirasvit Full Page Cache Warmer for Magento 2 | All versions before 1.11.12 | Update to 1.11.12+ immediately |
Technical Analysis
Root Cause
CVE-2026-45247 is a PHP object injection vulnerability arising from the unsafe deserialization of the CacheWarmer cookie value. The extension reads this cookie and passes its contents directly to PHP's unserialize() function without sanitizing or validating the input.
PHP's unserialize() function reconstructs arbitrary PHP objects from a serialized string. If the application's codebase contains "gadget chains" — classes with __wakeup(), __destruct(), or __toString() magic methods that perform dangerous operations — an attacker can craft a serialized payload that triggers those methods upon deserialization, ultimately achieving arbitrary code execution.
Magento 2 is a feature-rich e-commerce platform with a large codebase and many third-party dependencies, providing a rich gadget chain landscape for exploitation.
Attack Flow
1. Attacker identifies a Magento 2 store with Mirasvit Full Page Cache Warmer installed
2. Attacker crafts a serialized PHP object payload exploiting a Magento gadget chain
3. Attacker sends an HTTP request to the store with the malicious CacheWarmer cookie
4. No authentication or session is required — any unauthenticated request suffices
5. The extension reads the cookie and calls unserialize() on the attacker's payload
6. PHP magic methods (__wakeup, __destruct, etc.) trigger during deserialization
7. Gadget chain executes arbitrary OS commands or writes malicious code to disk
8. Attacker achieves full RCE under the web server's process context
9. Access to Magento database credentials, customer data, and payment informationWhy PHP Object Injection Is Especially Dangerous in E-Commerce
PHP object injection in e-commerce platforms carries extreme risk because:
- Customer PII exposure — Names, addresses, email addresses, and order history are directly accessible
- Payment-adjacent data — Stored payment tokens, integrations with payment processors, and API credentials
- Database credentials — Magento's
env.phpcontains database credentials readable from the application context - Admin account creation — Attackers can create backdoor admin users for persistent access
- Skimming malware installation — Magecart-style payment card skimmers can be injected into checkout pages
Impact Assessment
| Impact Area | Description |
|---|---|
| Arbitrary Code Execution | Full RCE under the Magento application server context |
| Customer Data Theft | All customer PII, order data, and account information accessible |
| Payment Data Risk | Access to payment tokenization integrations, stored tokens, and processor API keys |
| Credential Exposure | Database credentials, admin credentials, and third-party API keys in env.php |
| Skimmer Injection | Ability to inject JavaScript payment skimmers into checkout pages (Magecart) |
| Persistence | Installation of web shells, backdoor admin accounts, or malicious extensions |
| Lateral Movement | Pivot from Magento server to database servers, internal APIs, and connected services |
Immediate Remediation
Step 1: Update the Extension
Update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later immediately:
# Via Composer (recommended)
composer require mirasvit/module-cache-warmer:^1.11.12
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:flush
# Verify the installed version
composer show mirasvit/module-cache-warmer | grep versionsStep 2: Temporary Mitigation (If Immediate Patching Is Not Possible)
If you cannot immediately update, use a WAF or server-side rule to strip or validate the CacheWarmer cookie before it reaches the application:
# Nginx — strip the CacheWarmer cookie from incoming requests
set $sanitized_cookie $http_cookie;
if ($sanitized_cookie ~* "CacheWarmer=[^;]+") {
set $sanitized_cookie "";
}
proxy_set_header Cookie $sanitized_cookie;# Apache — use mod_headers to remove the suspect cookie
RequestHeader edit Cookie "(^|;\s*)CacheWarmer=[^;]*" ""Step 3: Check for Signs of Exploitation
# Search Magento access logs for suspicious requests with a CacheWarmer cookie
grep "CacheWarmer" /var/log/nginx/access.log | grep -v "^[A-Za-z]" | tail -200
# Look for recently modified PHP files in the Magento root (post-exploitation indicators)
find /var/www/magento -name "*.php" -newer /var/www/magento/app/etc/env.php -ls 2>/dev/null
# Check for unexpected admin users
php bin/magento admin:user:list
# Review recently created admin users in the database
mysql -u root -p magento -e "SELECT email, created_at FROM admin_user ORDER BY created_at DESC LIMIT 20;"Step 4: Audit Checkout Pages for Skimmer Injection
# Check for unexpected inline script content in Magento theme files
grep -r "document.createElement\|btoa\|XMLHttpRequest" /var/www/magento/app/design/ --include="*.phtml" --include="*.html"
# Review recently modified static files
find /pub/static -name "*.js" -newer /var/www/magento/composer.json -ls 2>/dev/null | head -30Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected 200 responses on frontend URLs with anomalous CacheWarmer cookie values | Direct exploitation attempt |
| New admin user accounts created outside normal provisioning | Post-exploitation persistence |
Modified or new .php files in pub/, app/code/, or vendor/ | Web shell installation |
| Unexpected outbound connections from the web server process | Data exfiltration or C2 communication |
| Suspicious JavaScript injected into checkout pages | Magecart-style payment skimmer |
Access to env.php or database backup files from web paths | Credential theft |
Post-Remediation Checklist
- Update to Mirasvit Full Page Cache Warmer 1.11.12+ immediately
- Rotate all credentials — database password, admin accounts, third-party API keys in
env.php - Audit all admin user accounts — remove any unauthorized accounts
- Inspect checkout pages for injected JavaScript skimmers
- Review recently modified files for web shells or backdoors
- Flush all Magento caches after patching
- Enable WAF rules to detect PHP deserialization payloads (look for
O:patterns in cookie values) - Review application logs for exploitation evidence prior to patching
- Notify customers if data was accessed — assess breach notification obligations under applicable privacy law (GDPR, PIPEDA, state breach notification laws)