CISA has added Mirasvit Full Page Cache Warmer for Magento 2 to its Known Exploited Vulnerabilities catalog after reports of an unauthenticated remote code execution flaw tracked as CVE-2026-45247. The warning matters because the vulnerable code sits on normal storefront request paths: attackers do not need a Magento admin session, a customer login, or a special backend URL if a vulnerable extension is exposed.[1]
The issue affects Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. Sansec, which disclosed the bug, says a crafted CacheWarmer cookie can reach PHP’s native unserialize() handling on attacker-controlled data. With a suitable Magento gadget chain, that deserialization path can become remote code execution on the web server.[2] NVD lists the vulnerability as critical with CVSS 3.1 score 9.8 and CVSS 4.0 score 9.3.[3]
What Magento store owners should check now
For store operators, the practical priority is simple: confirm the installed Mirasvit module version and update to 1.11.12 or later. CISA’s KEV entry gives federal civilian agencies a June 6, 2026 remediation deadline, but internet-facing commerce sites should treat that as an outside limit rather than a comfortable schedule.[1] Mirasvit’s package changelog lists newer Cache Warmer releases, while third-party advisories identify versions below 1.11.12 as affected.[4]
Do not assume that authentication protects this bug. The risky input is a cookie on a storefront request, not an administrator-only form. That makes edge caching, WAF logging, and origin access logs useful places to look for unusual CacheWarmer cookie values, especially long encoded strings, serialized-object-looking payloads, or requests that produced 500 errors around the disclosure and patch window. If the store uses multiple web nodes, check each node and each deployed release directory rather than only the current symlink.
The incident also fits a familiar Magento pattern: attackers often turn extension bugs into webshells, skimmers, or persistent admin access after the first foothold. HowToFix.guide has previously covered Magento patch bypass risk and Magecart-style skimmer infrastructure, both of which are useful context when reviewing a compromised storefront. If the investigation points to dropped files or server-side persistence, compare it with recent exploited hosting/plugin cases such as the LiteSpeed cPanel plugin root-access campaign.
Administrators should inventory where the extension is installed, deploy the fixed package, flush Magento generated code and cache according to the store’s normal release process, and then review logs before deleting evidence. If suspicious cookie traffic appears, rotate Magento admin credentials, API tokens, payment-extension secrets, deployment keys, and any credentials reachable by the web user. For high-value stores, a clean redeploy from trusted source plus file-integrity comparison is safer than trying to patch a potentially modified document root in place.
The important nuance is that this is not merely another Magento maintenance update. CISA’s exploited-vulnerability listing means defenders should assume real-world interest, while Sansec’s technical description gives attackers a very small input surface to probe. Stores that run Mirasvit Cache Warmer should move the fix into the emergency-change lane, then verify that no suspicious CacheWarmer traffic preceded the update.
References
- CISA, Known Exploited Vulnerabilities Catalog entry for CVE-2026-45247, added June 3, 2026.
- Sansec, Critical vulnerability in Mirasvit Cache Warmer for Magento, May 26, 2026.
- NVD, CVE-2026-45247 detail page, updated June 3, 2026.
- VulnCheck, Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection, May 26, 2026.
- Mirasvit, Full Page Cache Warmer for Magento 2 changelog.
Leave a Comment