Listen to this Post
CVE-2026-45247 is a critical vulnerability in the Mirasvit Full Page Cache Warmer module for Magento 2. It stems from an unrestricted call to PHP’s native `unserialize()` function. The vulnerable plugin, designed to pre-populate Magento’s full-page cache, runs on every storefront request. It processes a `CacheWarmer` cookie to switch the customer’s session state before rendering a page.
The issue arises because the plugin passes a portion of this client-controlled cookie value directly to `unserialize()` without any validation or class restrictions. By crafting a malicious serialized PHP object in the `CacheWarmer` cookie, an unauthenticated attacker can inject arbitrary objects. When PHP deserializes this data, it can trigger unintended method calls if the right classes are present.
This becomes remote code execution (RCE) when combined with existing “gadget chains”—sequences of code found in Magento or its dependencies like Zend or Symfony, which can be abused to execute arbitrary commands on the server. The attack vector is simple: a single HTTP request to any storefront page containing the malicious cookie, requiring no authentication, admin session, or special configuration. This makes it extremely dangerous, as millions of stores could be exposed. The vulnerability was discovered by Sansec on April 24, 2026, and Mirasvit released a patch in version 1.11.12 on May 25, 2026.
DailyCVE Form:
Platform: Magento 2
Version: < 1.11.12
Vulnerability : PHP object injection
Severity: 9.8 (Critical)
date: May 26, 2026
Prediction: May 25, 2026
What Undercode Say:
Detection of exploitation attempts in access logs Look for storefront requests containing a CacheWarmer cookie with a base64-encoded serialized object. Serialized PHP objects in base64 often start with "Tz", "Qz", or "YT". grep -i "CacheWarmer:[A-Za-z0-9+/=]" /var/log/magento/access.log | grep -E "(Tz|Qz|YT)"
Check for the presence of the vulnerable module version. composer show mirasvit/module-cache-warmer | grep versions
How Exploit:
The attacker sends an HTTP GET request to any storefront page with a crafted `CacheWarmer` cookie. The cookie value must start with the string `CacheWarmer:` followed by a base64-encoded serialized PHP object. This object, when deserialized by PHP’s `unserialize()` function, triggers a pre-existing gadget chain from Magento’s codebase to execute arbitrary PHP code on the server. A proof of concept is publicly available.
Protection:
The primary fix is to update Mirasvit Full Page Cache Warmer to version 1.11.12 or later. As a temporary measure, a web application firewall (WAF) can be configured to block requests with `CacheWarmer` cookies containing patterns like Tz, Qz, or YT. Immediately after patching, scan for indicators of compromise such as unexpected PHP files in web-accessible directories like pub/.
Impact:
Successful exploitation allows an unauthenticated attacker to achieve remote code execution (RCE) on the server. This can lead to full server compromise, including data theft, website defacement, malware installation, and using the compromised server as a pivot point for further attacks. The vulnerability is trivial to exploit and can be fully automated, making unpatched stores a primary target for mass compromise campaigns.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
