Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8) RCE

A critical deserialization of untrusted data vulnerability, CVE-2026-45247, impacts the Mirasvit Cache Warmer extension for Magento, a popular e-commerce platform. This flaw carries a CVSS score of 9.8, signifying its severe potential for compromise. The vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on affected servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion follows confirmed reports of active exploitation in the wild, demonstrating the immediate and severe threat this vulnerability poses to organizations utilizing the Mirasvit Cache Warmer extension.

Enterprise administrators and security teams are advised to prioritize remediation efforts. The absence of authentication requirements for exploitation, combined with the availability of exploit payloads in active attacks, necessitates prompt action to mitigate potential system compromise and data loss.

What is CVE-2026-45247 and why is it critical?

CVE-2026-45247 is a critical deserialization of untrusted data vulnerability in the Mirasvit Cache Warmer Magento extension. With a CVSS score of 9.8, this flaw permits unauthenticated remote attackers to execute arbitrary PHP code on vulnerable Magento installations, directly leading to total system takeover.

The vulnerability stems from the extension's improper handling of user-supplied data within the CacheWarmer cookie. Specifically, the extension deserializes a portion of this cookie's value using PHP's native unserialize() function without adequate validation or sanitization. Deserialization of untrusted data is a severe class of vulnerability, often categorized as CWE-502 (Deserialization of Untrusted Data), because it allows an attacker to manipulate the process of reconstructing data objects. When an application attempts to reconstruct an object from attacker-controlled serialized data, the attacker can inject malicious objects or alter existing ones.

In the context of CVE-2026-45247, an attacker can supply a specially crafted serialized PHP object within the CacheWarmer cookie. This crafted object is then processed by the unserialize() function. By using "gadget chains"-sequences of legitimate method calls present in the application's codebase or its dependencies-the injected object can trigger unintended code execution. This technique, known as PHP object injection, effectively bypasses security controls and allows the attacker to dictate the execution flow of the application. The critical nature of this vulnerability is further amplified by the fact that it requires no authentication or administrative privileges, meaning any unauthenticated storefront request carrying the malicious cookie can initiate the attack.

The active exploitation of CVE-2026-45247 in real-world scenarios and its subsequent addition to CISA's KEV catalog demonstrate the urgency for immediate patching. Attackers are demonstrably aware of this flaw and possess the technical means to use it for significant compromise, transforming a theoretical risk into a tangible threat. This direct path to remote code execution makes CVE-2026-45247 a critical priority vulnerability for any organization operating a Magento environment with the affected extension.

Impact of CVE-2026-45247

Successful exploitation of CVE-2026-45247 grants an unauthenticated attacker the ability to execute arbitrary PHP code on the underlying server. This level of access is equivalent to achieving full system takeover, enabling attackers to perform a wide range of malicious activities with severe consequences for the compromised organization and its customers.

An attacker with remote code execution capabilities can:

  • Exfiltrate sensitive data: Access databases containing customer information, payment details, order histories, and proprietary business data.
  • Deface or alter the website: Modify web content, inject malicious scripts, or redirect legitimate users to malicious sites, damaging brand reputation and user trust.
  • Deploy malware: Install backdoors, web shells, or other persistent malware to maintain access or launch further attacks, potentially leading to long-term compromise of the server and connected systems.
  • Establish a foothold for lateral movement: Use the compromised Magento server as a pivot point to access other systems within the internal network.

Organizations running Magento installations with the Mirasvit Cache Warmer extension are directly at risk. Sansec research identified approximately 6,000 stores utilizing Mirasvit extensions, though the actual number is likely higher due to the masking effects of content delivery networks (CDNs) like Cloudflare. The broad deployment of Magento across various industries means a significant number of entities are potentially exposed.

Imperva has observed active attack activity targeting CVE-2026-45247, primarily singling out gaming and business sites. The most targeted countries include the U.S., the U.K., France, and Australia. The observed attack payloads incorporate base64-encoded serialized objects, designed to trigger PHP Object Deserialization and achieve remote code execution. These payloads have been noted to invoke functions such as system() and current() to execute arbitrary commands. Initial attacker objectives appear to focus on identifying vulnerable Magento environments and confirming the feasibility of remote code execution, indicating potential precursor activity to more extensive operations.

Exploitation Chain

Exploiting CVE-2026-45247 uses a deserialization of untrusted data vulnerability present in the Mirasvit Cache Warmer extension. The attack vector is entirely unauthenticated and remote, relying on specially crafted HTTP requests to the Magento storefront.

The preconditions for a successful exploit are straightforward: an active Magento installation with the Mirasvit Cache Warmer extension installed, specifically any version prior to 1.11.12. No prior authentication or administrative privileges are necessary for an attacker to initiate the compromise. This low barrier to entry significantly increases the exploitability and risk profile of the vulnerability.

The exploitation process unfolds as follows:

  1. Crafted HTTP Request: An attacker sends an HTTP request to the Magento storefront. This request contains a CacheWarmer cookie with a malicious value.
  2. Malicious Cookie Content: The CacheWarmer cookie value includes a Base64-encoded serialized PHP object. This object is meticulously constructed to manipulate the application's deserialization process.
  3. Deserialization Trigger: The Mirasvit Cache Warmer extension, in its normal operation, deserializes a part of the incoming CacheWarmer cookie value using PHP's unserialize() function. Due to the lack of sufficient input validation, the malicious serialized object is processed.
  4. PHP Object Injection: During deserialization, the crafted object takes advantage of a PHP object injection vulnerability (CWE-502). This allows the attacker to control what objects PHP reconstructs, introducing attacker-controlled data and logic into the application's memory space.
  5. Gadget Chain Execution: The injected object, in conjunction with existing legitimate classes and methods (a "gadget chain") within Magento and its dependencies, triggers the execution of arbitrary PHP code. Imperva reported observing payloads designed to invoke functions like system() and current() for command execution.
  6. Remote Code Execution: The arbitrary commands supplied by the attacker are executed on the underlying server, granting the attacker full control over the compromised Magento environment.

Public exploit code and detailed technical information regarding this vulnerability are available, further accelerating the threat environment. Imperva has specifically reported active attack activity, indicating that threat actors are successfully using this flaw in the wild. The inclusion of CVE-2026-45247 in CISA's KEV catalog serves as official confirmation of its active exploitation and necessitates immediate attention from all affected organizations.

Affected Products and Versions

CVE-2026-45247 specifically impacts the Mirasvit Cache Warmer extension for Magento.

  • Mirasvit Cache Warmer extension for Magento: All versions prior to 1.11.12.

No other Mirasvit extensions or Magento core versions have been identified as directly affected by this specific vulnerability in the provided research. Organizations must verify the version of their Mirasvit Cache Warmer extension to determine their exposure.

Detection Strategies for CVE-2026-45247

Detecting CVE-2026-45247 exploitation attempts relies on vigilant monitoring of web traffic and server logs for specific indicators. The attack vector directly involves a maliciously crafted CacheWarmer cookie within storefront requests.

Security teams should implement the following detection strategies:

  • HTTP Request Log Analysis:
  • Continuously audit HTTP access logs for inbound requests targeting your Magento storefront.
  • Focus on requests that include a CacheWarmer cookie in their headers.
  • Specifically, examine the value of the CacheWarmer cookie for patterns indicative of serialized PHP objects.
  • Specific Cookie Value Patterns:
  • Sansec's research provides a crucial indicator: a CacheWarmer cookie value matching the regex CacheWarmer:(Tz|Qz|YT). This pattern is a strong indicator of an exploitation attempt.
  • Explanation: When PHP objects are serialized and then Base64-encoded, their resulting string typically starts with specific characters based on the serialized content.
  • Tz often indicates a serialized object (O: followed by length and class name).
  • Qz may relate to custom classes or specific serialized structures.
  • YT can indicate an array or string in some Base64 contexts, but in this specific exploit, it is associated with Base64-encoded serialized PHP objects.
  • Any CacheWarmer cookie value that begins with "CacheWarmer:" followed by a Base64-encoded string starting with Tz, Qz, or YT should be treated as highly suspicious and investigated immediately.
  • Web Application Firewall (WAF) Rules:
  • Configure WAFs to detect and block requests containing CacheWarmer cookies with values matching the identified malicious patterns (CacheWarmer:(Tz|Qz|YT)).
  • Implement rules that scrutinize cookie values for unusual Base64-encoded strings, especially those that align with known serialized PHP object signatures.
  • Endpoint Detection and Response (EDR) Queries:
  • While the initial attack is network-based, successful exploitation would lead to process execution on the server. EDR solutions can be configured to monitor for unusual process creation, particularly PHP processes executing system commands, or suspicious file modifications related to web shells or unauthorized scripts.
  • Look for executions of system(), current(), or similar command execution functions from web server processes.

Proactive monitoring and alert generation for these specific indicators are essential for identifying and responding to exploitation attempts of CVE-2026-45247. Due to the unauthenticated nature of the vulnerability and its active exploitation, immediate detection capabilities are paramount to prevent compromise.

Remediation

Organizations running the Mirasvit Cache Warmer extension on their Magento installations require prompt remediation, given the active exploitation of CVE-2026-45247. Applying the vendor-supplied patch is the primary and most effective remediation path.

  • Patching: Upgrade the Mirasvit Cache Warmer extension to version 1.11.12 or a later release. This version includes the necessary fixes to address the deserialization of untrusted data vulnerability. Organizations should consult Mirasvit's official documentation and release notes for detailed upgrade instructions specific to their Magento environment.
  • Compliance Mandates: The urgency of patching is reinforced by mandates from cybersecurity authorities. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary fixes for CVE-2026-45247 by June 6, 2026. This directive shows the severity and confirmed risk associated with unpatched systems.
  • No Workarounds: The provided research does not indicate any effective temporary workarounds that fully mitigate this vulnerability without applying the patch. Disabling the extension entirely might remove the immediate threat, but it would also remove core functionality, which may not be feasible for operational environments. Therefore, immediate patching remains the only recommended and complete remediation.
  • Post-Patch Verification: After applying the patch, organizations should conduct thorough verification to ensure the update was successful and the vulnerability is no longer present. A comprehensive security audit of the Magento environment should be performed to detect any signs of prior compromise, such as persistent backdoors or unauthorized configuration changes, which may have occurred if the system was exploited before patching.

Technical Takeaways

  • CVE-2026-45247 is a critical deserialization of untrusted data vulnerability with a CVSS score of 9.8, affecting the Mirasvit Cache Warmer Magento extension.
  • The flaw enables unauthenticated attackers to achieve remote code execution (RCE) via a specially crafted CacheWarmer cookie.
  • The vulnerability is actively exploited in the wild, leading to its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.
  • Detection involves monitoring storefront HTTP requests for CacheWarmer cookies with specific Base64-encoded serialized PHP object prefixes like Tz, Qz, or YT.
  • Remediation requires upgrading the Mirasvit Cache Warmer extension to version 1.11.12 or a later release immediately.