Critical Magento Extension Vulnerability Exposes Thousands of Stores to RCE Attacks
A severe security flaw in the Mirasvit Cache Warmer plugin for Magento and Adobe Commerce is leaving thousands of online stores vulnerable to remote code execution (RCE) attacks. Tracked as CVE-2026-45247 with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by exploiting improper input handling in the plugin’s caching mechanism.
The flaw stems from the plugin’s use of PHP’s unserialize() function on user-controlled CacheWarmer cookies, enabling PHP object injection (CWE-502). Since the plugin does not restrict class instantiation during deserialization, attackers can craft malicious payloads to escalate the attack into full RCE, particularly when combined with existing gadget chains in Magento or its dependencies.
Key Details:
- Affected Software: Mirasvit Cache Warmer (all versions prior to 1.11.12).
- Discovery & Disclosure: Identified by Sansec on April 24, 2026, with Mirasvit notified on May 21 and a patch (v1.11.12) released on May 25.
- Scope: Sansec estimates at least 6,000 Magento stores are running vulnerable versions, though the actual number may be higher due to CDN masking.
- Exploitation Footprint: Malicious requests contain a CacheWarmer cookie with base64-encoded serialized data, often starting with prefixes like Tz, Qz, or YT.
Impact & Response:
The vulnerability is easily exploitable at scale, with no authentication required. Sansec’s Shield protection blocked attacks for its customers as early as April 24. While Mirasvit has released a patch, security experts warn that exploitation activity is expected to rise following public disclosure.
Administrators are advised to upgrade to v1.11.12 immediately or deploy a web application firewall (WAF) as a temporary mitigation. Compromise assessments, including scans for webshells and unauthorized PHP files in the pub/ directory, are recommended to detect potential breaches.
Source: https://gbhackers.com/magento-cache-plugin-vulnerability/
Adobe Commerce cybersecurity rating report: https://www.rankiteo.com/company/adobe-commerce
Mirasvit cybersecurity rating report: https://www.rankiteo.com/company/mirasvit
"id": "ADOMIR1780324139",
"linkid": "adobe-commerce, mirasvit",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail, E-commerce',
'location': 'Global',
'name': 'Magento and Adobe Commerce stores',
'size': 'At least 6,000 stores (estimated)',
'type': 'E-commerce platforms'}],
'attack_vector': 'Unauthenticated exploitation via CacheWarmer cookies',
'date_detected': '2026-04-24',
'date_publicly_disclosed': '2026-05-25',
'description': 'A severe security flaw in the Mirasvit Cache Warmer plugin '
'for Magento and Adobe Commerce is leaving thousands of online '
'stores vulnerable to remote code execution (RCE) attacks. The '
'vulnerability (CVE-2026-45247, CVSS 9.8) allows '
'unauthenticated attackers to execute arbitrary code by '
'exploiting improper input handling in the plugin’s caching '
'mechanism via PHP object injection (CWE-502).',
'impact': {'brand_reputation_impact': 'High (public disclosure of critical '
'vulnerability)',
'operational_impact': 'Potential full server compromise via RCE',
'systems_affected': 'Magento and Adobe Commerce stores with '
'Mirasvit Cache Warmer plugin (versions prior '
'to 1.11.12)'},
'investigation_status': 'Publicly disclosed, exploitation activity expected '
'to rise',
'post_incident_analysis': {'corrective_actions': 'Patch released (v1.11.12), '
'WAF deployment recommended',
'root_causes': 'Improper input handling in '
'CacheWarmer plugin (use of PHP '
'`unserialize()` on user-controlled '
'cookies without class '
'restrictions)'},
'recommendations': 'Upgrade to Mirasvit Cache Warmer v1.11.12 immediately, '
'deploy WAF, conduct compromise assessments, and monitor '
'for exploitation attempts.',
'references': [{'source': 'Sansec'}],
'response': {'adaptive_behavioral_waf': 'Recommended as temporary mitigation',
'containment_measures': 'Upgrade to Mirasvit Cache Warmer '
'v1.11.12 or deploy WAF',
'enhanced_monitoring': 'Sansec Shield protection',
'remediation_measures': 'Patch deployment (v1.11.12), compromise '
'assessments (webshell scans, '
'unauthorized PHP files in pub/ '
'directory)',
'third_party_assistance': 'Sansec (Shield protection)'},
'title': 'Critical Magento Extension Vulnerability Exposes Thousands of '
'Stores to RCE Attacks',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-45247 (PHP object injection, CWE-502)'}