Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted
Analysis Summary
# Vulnerability: PHP Object Injection in Mirasvit Cache Warmer for Magento
## CVE Details
- **CVE ID:** CVE-2026-45247
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Mirasvit Full Page Cache Warmer (Magento extension)
- **Versions:** All versions prior to v1.11.12
- **Configurations:** Any Magento storefront running the affected extension; the vulnerability is accessible via standard storefront requests.
## Vulnerability Description
The vulnerability is a PHP object injection flaw residing in how the extension processes the `CacheWarmer` cookie. The application uses PHP’s native `unserialize()` function on data provided directly by the client without prior validation. By supplying a crafted, Base64-encoded serialized PHP object within the cookie, an unauthenticated attacker can manipulate the objects PHP reconstructs. When combined with "gadget chains" (pre-existing classes within Magento or its dependencies), this leads to Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV catalog on June 3, 2026).
- **Complexity:** Low (No authentication or administrative privileges required).
- **Attack Vector:** Network (Remote via HTTP requests).
## Impact
- **Confidentiality:** High (Full system access/data exfiltration possible via RCE).
- **Integrity:** High (Attackers can execute arbitrary commands and modify server data).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
- **Update to Version 1.11.12** or later. Patches were officially released on May 25, 2026.
- **FCEB Agencies:** Must apply fixes by June 6, 2026, per CISA directive.
### Workarounds
- No specific software configuration workarounds were provided in the report; immediate patching of the extension is the primary recommendation.
## Detection
- **Indicators of Compromise (IoC):**
- Look for HTTP requests containing the `CacheWarmer` cookie.
- Specifically, audit for cookie values starting with the prefix `CacheWarmer:` followed by Base64 strings starting with `Tz`, `Qz`, or `YT` (which represent serialized PHP objects).
- **Detection Methods:**
- Use Web Application Firewalls (WAF) to filter malicious `CacheWarmer` cookie payloads.
- Monitor server logs for unauthorized execution of PHP functions such as `system()` or `current()`.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Vendor/Security Research (Sansec):** hxxps[://]sansec.io/research/mirasvit-cache-warmer-object-injection
- **Security Advisory (Imperva):** hxxps[://]www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/
- **NVD Detail:** hxxps[://]nvd.nist.gov/vuln/detail/CVE-2026-45247