Mirasvit CVE-2026-45247 (CVSS 9.8) RCE Exploit

Mirasvit, a vendor of extensions for Magento, has addressed a critical remote code execution (RCE) vulnerability, CVE-2026-45247, within its Full Page Cache Warmer extension. This flaw, rated with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on affected e-commerce platforms.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of this vulnerability. CISA mandates that Federal Civilian Executive Branch (FCEB) agencies apply necessary fixes by June 6, 2026. All organizations running affected systems should prioritize remediation.

Sansec and Imperva have observed active attacks using this flaw. Organizations operating Magento environments with the Mirasvit Cache Warmer extension should immediately review their installation status, apply available patches, implement detection mechanisms, and identify potential exploitation attempts.

What is CVE-2026-45247 and why is it critical?

CVE-2026-45247 is a critical deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento. It enables unauthenticated remote code execution (RCE). A CVSS score of 9.8 indicates maximum severity. Exploitation can lead to complete system compromise without user interaction or prior authentication, and it is under active exploitation.

This vulnerability is a deserialization of untrusted data, specifically PHP object injection (CWE-502). In this attack, an application deserializes untrusted input, which allows an attacker to manipulate the object creation process. By crafting a malicious serialized object, an attacker can control the application's internal logic, leading to arbitrary code execution. Its inclusion in CISA's KEV catalog also shows the criticality of CVE-2026-45247. The KEV catalog is a list of vulnerabilities with significant risk due to demonstrated real-world exploitation. This status makes the flaw an immediate and demonstrable threat requiring prompt attention from all affected entities.

What is the potential impact of CVE-2026-45247?

Exploitation of CVE-2026-45247 allows an unauthenticated attacker to execute arbitrary PHP code on affected Magento servers, leading to full compromise of the e-commerce platform and its underlying server infrastructure. This level of access grants attackers extensive control over the compromised system, posing severe risks to data integrity, confidentiality, and availability.

Attackers gaining remote code execution can achieve various malicious objectives. These include stealing sensitive customer and payment information, defacing the website, injecting malicious scripts (e.g., Magecart attacks for credit card skimming), deploying ransomware, or establishing persistent backdoors for future access. Complete compromise of an e-commerce platform can lead to significant financial losses, severe reputational damage, and potential legal and regulatory penalties for data breaches. Imperva noted that observed payloads contained base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. These payloads attempt to invoke functions such as system() and current() to execute arbitrary commands. Initial attacks focus on validating successful code execution to flag vulnerable Magento environments. Sansec, a Dutch security company, identified approximately 6,000 stores running Mirasvit extensions, showing a substantial attack surface. Active attacks have been observed primarily targeting gaming and business sites, with victims across multiple countries, including the U.S., U.K., France, and Australia. The broad reach and severe potential consequences make CVE-2026-45247 a critical threat for any organization using the affected extension.

How is CVE-2026-45247 exploited?

An unauthenticated attacker exploits CVE-2026-45247 by supplying a specially crafted serialized PHP object within the CacheWarmer cookie of any storefront HTTP request. PHP's native unserialize() function then deserializes this object without adequate validation, allowing the attacker to inject arbitrary PHP objects and escalate to remote code execution.

The attack is remote and requires no authentication or administrative privileges. The main requirement for successful exploitation is the installation and active status of the Mirasvit Full Page Cache Warmer extension on a Magento instance. Attackers use the application's trust in the incoming CacheWarmer cookie. The cookie is processed directly from the client without proper sanitization or validation of its contents. This approach is reminiscent of other critical deserialization flaws, such as those discussed in our prior analysis of CVE-2026-45659-rce, which also showed the dangers of insecure deserialization.

The exploitation chain proceeds:

  1. Object Crafting: An attacker constructs a malicious serialized PHP object. This object invokes specific "gadget chains" often present in PHP applications like Magento and its dependencies. These gadget chains are sequences of legitimate function calls or methods that, when triggered by an attacker-controlled object, can lead to unintended execution flow, resulting in RCE.
  2. Cookie Injection: The crafted serialized PHP object is Base64-encoded and embedded within the CacheWarmer cookie. This cookie attaches to a standard HTTP request destined for any storefront page of the target Magento application.
  3. Server-Side Deserialization: Upon receiving the HTTP request, the Magento application, the Mirasvit Full Page Cache Warmer extension, processes the CacheWarmer cookie. The extension uses PHP's unserialize() function to reconstruct the PHP object from the cookie's value.
  4. Remote Code Execution: The unserialize() function operates on attacker-controlled data without proper validation, so the malicious object is instantiated. The object's constructor or magic methods (e.g., destruct, wakeup) within the gadget chain are triggered, leading to the execution of arbitrary PHP code on the server. Imperva has confirmed observing active attacks using serialized PHP object payloads delivered via malicious HTTP requests. These payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server, showing intent for remote code execution.

Which products and versions are affected by CVE-2026-45247?

CVE-2026-45247 affects the Mirasvit Full Page Cache Warmer extension for Magento. This vulnerability impacts installations with the extension deployed, regardless of the Magento version, as the flaw resides within the extension itself.

The following product line and version ranges are known to be vulnerable:

  • Product Line: Mirasvit Full Page Cache Warmer for Magento
  • Affected Versions: All versions prior to 1.11.12

Organizations should confirm the version of their Mirasvit Full Page Cache Warmer extension to confirm their exposure to CVE-2026-45247. Any version preceding 1.11.12 indicates immediate vulnerability and requires urgent attention.

How can CVE-2026-45247 exploitation be detected?

Detecting CVE-2026-45247 exploitation requires auditing web server logs for HTTP requests containing suspicious CacheWarmer cookie values, especially those with serialized PHP objects. Given this deserialization vulnerability, monitoring inbound network traffic and server-side process execution is important.

Detection guidance:

  • Network Indicators / Log Signatures:
  • Web Server Access Logs: Monitor and audit web server access logs (e.g., Apache, Nginx logs) for HTTP requests directed at Magento storefronts.
  • CacheWarmer Cookie Presence: Look for the CacheWarmer cookie within these requests.
  • Suspicious Cookie Value Patterns: Identify CacheWarmer cookie values containing "CacheWarmer:" followed by a Base64-encoded string. A strong indicator is a CacheWarmer cookie value matching the regular expression CacheWarmer:(Tz|Qz|YT). These prefixes (Tz, Qz, or YT) are characteristic starting sequences for Base64-encoded serialized PHP objects.
  • WAF Alerts: Configure Web Application Firewalls (WAFs) to inspect incoming HTTP request bodies and headers, particularly the Cookie header, for these patterns. Implement rules to alert or block requests matching the suspicious CacheWarmer cookie format.
  • Payload Analysis:
  • If suspicious cookie values are identified, attempt to Base64-decode the string following "CacheWarmer:". Inspect the decoded PHP object for common RCE functions or system commands (e.g., system(), exec(), passthru(), shell_exec(), current()).
  • Look for evidence of attempts to write files to disk, establish reverse shells, create new user accounts, or perform reconnaissance commands (whoami, id, ls, pwd).
  • EDR/SIEM Queries:
  • Configure Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) systems to alert on unexpected process execution from the web server. This includes PHP processes executing shell commands (e.g., sh, bash, cmd.exe) or any abnormal child processes spawned by the web server process.
  • Monitor for the creation of new, suspicious files in web-accessible directories, especially PHP files (.php), or modifications to existing critical application files. Integrate threat intelligence feeds with known malicious payloads, IP addresses, or domains associated with CVE-2026-45247 exploitation into SIEM rules. For further insights into detecting actively exploited vulnerabilities, refer to our analysis of CVE-2026-41091, which details methods for identifying such threats.
  • Vulnerability Scanning:
  • Regularly perform authenticated and unauthenticated vulnerability scans of your Magento environment to identify the presence and version of the Mirasvit Cache Warmer extension. While not direct exploitation detection, it helps identify vulnerable assets.

By combining these detection methods, organizations can create a full monitoring system to identify and respond to potential exploitation attempts of CVE-2026-45247.

How can CVE-2026-45247 be remediated?

To remediate CVE-2026-45247, apply the vendor-provided patch by upgrading the Mirasvit Full Page Cache Warmer extension to a secure version. Given the active exploitation and critical CVSS score of 9.8, immediate action is necessary to protect affected Magento environments.

Specific remediation and mitigation steps:

  • Patching:
  • Upgrade to Secure Version: The most effective remediation is to upgrade the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later. Mirasvit released these patches on May 25, 2026. This upgrade directly addresses the deserialization vulnerability.
  • Deadlines: CISA specifically mandated Federal Civilian Executive Branch (FCEB) agencies to apply these fixes by June 6, 2026, showing the urgency for all organizations.
  • Mitigation (if immediate patching is not feasible):
  • Disable/Uninstall Extension: If immediate patching is not possible due to operational constraints or testing requirements, consider temporarily disabling or, if feasible, uninstalling the Mirasvit Full Page Cache Warmer extension. Assess this action's impact on website performance and business operations. Disabling the extension would remove the vulnerable component from the active attack surface.
  • Network Protections: Deploy or enhance WAF rules to inspect and block HTTP requests containing CacheWarmer cookies with suspicious Base64-encoded serialized PHP object patterns (e.g., CacheWarmer:(Tz|Qz|YT)). These rules can act as a temporary safeguard by preventing malicious payloads from reaching the vulnerable component. Also, implement strict network segmentation for your Magento servers and configure egress filtering to restrict outbound network connections from the Magento server to only essential services. This can help prevent an attacker from establishing command-and-control (C2) communication or exfiltrating data, even if RCE is achieved.
  • Monitoring:
  • Post-Remediation Audit: After applying the patch, conduct a thorough security audit of the Magento environment to ensure no persistent compromise occurred prior to remediation. This includes checking for backdoors, unauthorized user accounts, or modified files.
  • Continuous Monitoring: Maintain closer monitoring of web server logs, WAF alerts, and EDR telemetry for any signs of attempted or successful exploitation of CVE-2026-45247. Continue to look for the detection indicators outlined in the previous section. This helps ensure the patch was effectively applied and no new or subtle exploitation methods emerge.

Organizations should prioritize patching immediately to remove the exposure to CVE-2026-45247. Any delay in applying the fix significantly increases the risk of a successful compromise.

Technical Takeaways

  • CVE-2026-45247 is a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in the Mirasvit Full Page Cache Warmer extension for Magento.
  • The flaw stems from a deserialization of untrusted data (CWE-502), allowing attackers to inject malicious serialized PHP objects via the CacheWarmer cookie in any storefront HTTP request.
  • Active exploitation is confirmed, leading to its inclusion in CISA's Known Exploited Vulnerabilities catalog and requiring immediate remediation for U.S. federal agencies.
  • Observed attacks target e-commerce gaming and business sites across multiple countries, with initial payloads designed to validate remote code execution capabilities on compromised servers.
  • Immediate patching to Mirasvit Full Page Cache Warmer extension version 1.11.12 or later is mandatory. Detection looks for CacheWarmer cookie patterns, such as CacheWarmer:(Tz|Qz|YT), in HTTP request logs.