Mirasvit Cache Warmer CVE-2026-45247 exploitation

Summary

CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog on June 3, 2026. The issue is an unauthenticated PHP object-injection flaw in Mirasvit Full Page Cache Warmer for Magento / Adobe Commerce that can reach remote code execution when a crafted CacheWarmer cookie is deserialized.

Tags

• ops
• operations
• vulnerability
• exploitation
• Magento
• Adobe Commerce
• e-commerce
• PHP object injection
• deserialization
• CISA KEV
• CVE-2026-45247

Why this matters

• The vulnerable surface is ordinary storefront traffic: Sansec reports no authentication, admin session, or configuration toggle is required.
• NVD describes affected versions as Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12.
• CISA’s KEV entry sets a June 6, 2026 remediation due date for covered agencies, validating in-the-wild exploitation signal.
• Magento / Adobe Commerce stores are high-value targets for payment-card theft, web shells, and persistent e-commerce compromise; a cookie-triggered deserialization path is easy to automate once exploit details are known.

Public reporting

• Sansec reports that a crafted CacheWarmer cookie reaches PHP’s native unserialize() on attacker-controlled data and can lead to remote code execution with a suitable Magento gadget chain.
• Mirasvit’s changelog for version 1.11.12 says it “Fixed PHP Object Injection vulnerability in session cookie deserialization.”
• NVD rates the flaw critical under CVSS 3.1 with a 9.8 base score and describes unauthenticated remote code execution through the unrestricted unserialize() call.
• CISA describes the flaw as deserialization of untrusted data in Mirasvit Full Page Cache Warmer and lists ransomware campaign use as unknown.

Defender notes

• Upgrade Mirasvit Full Page Cache Warmer to 1.11.12 or later; do not rely on WAF-only mitigation for exposed storefronts.
• Hunt web access logs for unusual or serialized-looking CacheWarmer cookie values, especially requests preceding new PHP files, modified Magento modules, suspicious admin users, payment-script changes, or outbound callbacks.
• For stores that were exposed before patching, treat the bug as potential RCE: review filesystem integrity, Magento admin accounts, scheduled tasks/cron entries, payment templates, and recently changed extension files.
• Preserve logs before cleanup where incident response may be needed; e-commerce compromise often includes short-lived web shells and later payment-card skimmers.
• Avoid assuming a specific actor or ransomware linkage until public incident reporting ties exploitation to a named cluster.

Sources

• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• NVD CVE-2026-45247: https://nvd.nist.gov/vuln/detail/CVE-2026-45247
• Sansec — Critical vulnerability in Mirasvit Cache Warmer for Magento: https://sansec.io/research/mirasvit-cache-warmer-object-injection
• Mirasvit Full Page Cache Warmer changelog: https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer
• VulnCheck advisory: https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection