Critical Mirasvit Magento Flaw Enables Arbitrary Code Execution on Thousands of Stores

Summary

The US cybersecurity agency CISA has issued an urgent advisory for federal agencies and all organizations utilizing the Mirasvit Full Page Cache Warmer extension on Magento 2 platforms. The critical-severity vulnerability, CVE-2026-45247, allows attackers to execute arbitrary code remotely without authentication by exploiting PHP object injection. This issue affects thousands of stores still using versions before 1.11.12 and has been actively exploited since its public disclosure on May 26.

What Happened

The vulnerability arises from a PHP object injection flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2, which attackers exploit by injecting serialized PHP objects into the CacheWarmer cookie. These objects are deserialized without restrictions, allowing attackers to control the reconstructed objects and execute arbitrary code on affected servers.

Technical Details

The vulnerability is a classic example of PHP object injection (CWE-502), where an attacker can manipulate the deserialization process to instantiate classes that lead to remote code execution. This flaw is particularly dangerous because it requires no authentication, making any store using vulnerable versions susceptible to exploitation. The attack leverages gadget chains from existing Magento and its dependencies.

Affected Products and Fixed Versions

Thousands of Magento and Adobe Commerce stores are at risk if they use the Mirasvit Cache Warmer extension version earlier than 1.11.12. All users of these platforms should update their installations to version 1.11.12 or newer, which includes patches for this vulnerability.

Exploitation Status

CVE-2026-45247 has been actively exploited since its disclosure on May 26. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and issued a directive urging federal agencies to patch within three days. Although the directive applies primarily to federal agencies, all organizations are advised to prioritize updating their systems.

Detection Opportunities

Administrators can detect potential exploitation attempts by monitoring for storefront requests containing a CacheWarmer cookie with specific base64-encoded strings. According to Sansec, these strings start with "Tz," "Qz," or "YT." A CacheWarmer cookie value matching the pattern CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.

Why This Matters for Defenders

This vulnerability highlights the critical importance of timely patching and monitoring for known exploited vulnerabilities. The fact that this flaw allows remote code execution without authentication underscores the potential severity of such vulnerabilities, making it imperative for organizations to maintain up-to-date software versions and implement robust detection mechanisms.

What Remains Unclear

While the technical details of the vulnerability are well-documented, further information on specific threat actors or broader attack campaigns leveraging this vulnerability remains limited. Additionally, the full scope of affected installations beyond those identified by Sansec is not yet confirmed.

Defender Guidance

Organizations using Magento and Adobe Commerce with the Mirasvit Cache Warmer extension should immediately update to version 1.11.12 or newer. Administrators are advised to monitor for suspicious activity involving CacheWarmer cookies, specifically looking for base64-encoded strings starting with "Tz," "Qz," or "YT." Regularly reviewing and updating software versions is crucial in mitigating the risk of exploitation from known vulnerabilities.

Source 1 - SecurityWeek
Source 2 - CISA Alert