Security Bulletin

CVE-2026-45247: Critical Magento RCE Vulnerability in Mirasvit Cache Warmer

4 min read Updated

Magento and Adobe Commerce environments often rely on third-party extensions to extend functionality and improve performance. However, these extensions can also introduce security risks that exist outside the core platform.

CVE-2026-45247 is a recent example of how vulnerabilities in third-party Magento extensions can create severe security risks. The vulnerability affects the Mirasvit Full Page Cache Warmer extension and allows unauthenticated attackers to achieve remote code execution through unsafe PHP deserialization. The vulnerability carries a critical severity rating, requires no authentication, and has already been observed under active exploitation.

The situation became more serious after the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the CISA, highlighting the urgency of remediation for organizations running affected Magento environments.

What Is CVE-2026-45247?

Risk Analysis

Severity: Critical
CVSS v3.1 Score: 9.8
Attack Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Publicly Available: Yes
Exploitation Complexity: Low
Active Exploitation: Yes

CVE-2026-45247 is a critical PHP object injection vulnerability affecting the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce.

The vulnerability exists because the extension processes user-controlled data from the CacheWarmer cookie using PHP’s native unserialize() function without applying restrictions on which objects can be instantiated. As a result, attackers can supply specially crafted serialized objects that trigger PHP object deserialization and execute malicious code on the underlying server.

CVE-2026-45247 is classified as CWE-502: Deserialization of Untrusted Data, a weakness that occurs when applications process untrusted serialized objects without proper validation or restrictions.

CVE-2026-45247 Affected Versions

The vulnerability affects the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. All versions prior to 1.11.12 are vulnerable, while version 1.11.12 contains the security fix for CVE-2026-45247.

Organizations should also be aware that Cache Warmer functionality may be bundled with other Mirasvit packages. As a result, identifying vulnerable installations may require a review of all installed Mirasvit extensions rather than focusing solely on standalone Cache Warmer deployments.

Technical Root Cause of CVE-2026-45247

The root cause of CVE-2026-45247 is unsafe deserialization of attacker-controlled data.

The vulnerable extension accepts values supplied through the CacheWarmer cookie and passes them directly to PHP’s unserialize() function. Because no validation or restrictions are applied before deserialization occurs, attackers can submit malicious serialized objects that PHP will process automatically.

This creates a PHP object injection condition. On its own, object injection may not always lead to code execution. However, modern applications often contain large numbers of reusable classes and dependencies that can be chained together during deserialization.

These chains, commonly known as gadget chains, allow attackers to transform an object injection vulnerability into a full remote code execution vulnerability.

In the case of CVE-2026-45247, researchers found that existing gadget chains within Magento and its dependencies could be leveraged to achieve arbitrary code execution without requiring any additional privileges.

How CVE-2026-45247 Exploitation Works

One of the most concerning aspects of this vulnerability is the simplicity of exploitation.

An attacker only needs to send a normal HTTP request containing a specially crafted CacheWarmer cookie. When the vulnerable extension processes the request, the malicious serialized object is deserialized and triggers a gadget chain already present within the Magento environment.

The exploitation process does not require:

  • Authentication
  • Administrative access
  • User interaction
  • Special application configuration

Because the attack can be delivered through a single request, exposed Magento environments can become targets immediately after technical details become public.

Researchers also noted that publicly available gadget chains can be used to reliably convert the deserialization vulnerability into arbitrary code execution, significantly lowering the barrier to exploitation.

Potential Impact of Successful Exploitation

Successful exploitation can result in complete compromise of the affected Magento or Adobe Commerce environment.

Because the vulnerability enables remote code execution, attackers can gain control over the application server and access resources available to the Magento process. Depending on the environment configuration, this may allow attackers to access sensitive business data, customer information, administrative credentials, and application configuration settings.

A compromised environment may also allow attackers to modify storefront content, inject malicious JavaScript, redirect customer payments, deploy web shells, install malware, or establish long-term persistence within the infrastructure.

For eCommerce organizations, the impact extends beyond technical compromise. Unauthorized access to customer information, payment-related data, and business operations can result in financial loss, regulatory exposure, and reputational damage.

CVE-2026-45247 – Indicators of Compromise

Organizations running affected versions should review their environments for signs of exploitation, particularly if the extension remained unpatched after public disclosure. Since CVE-2026-45247 can be exploited through a malicious CacheWarmer cookie, security teams should begin by reviewing web server and application logs for unusual cookie values, especially large base64-encoded strings or serialized object payloads.

The evidence of successful exploitation may extend beyond the initial request. Administrators should investigate unexpected command execution activity, unauthorized administrator accounts, recently modified application files, unknown PHP scripts, and potential web shells within the Magento environment. Unexplained changes to Magento configurations, third-party extensions, or application settings may also indicate post-exploitation activity.

For eCommerce environments, particular attention should be paid to storefront integrity. Injected JavaScript within CMS pages, product descriptions, checkout workflows, or payment pages may indicate attempts to deploy payment skimmers, redirect transactions, or harvest customer information.

Because the vulnerability enables remote code execution, organizations should treat any confirmed exploitation attempt as a potential server compromise and perform a thorough review of affected systems to identify persistence mechanisms, malicious files, and unauthorized changes introduced after initial access.

Mitigation Guidance for CVE-2026-45247

Organizations using Mirasvit Full Page Cache Warmer should upgrade immediately to version 1.11.12 or later. If immediate patching is not possible, the extension should be disabled until remediation can be completed. Given the availability of active exploitation, delaying remediation significantly increases risk.

After patching, organizations should conduct a compromise assessment to determine whether exploitation occurred before remediation. This review should include administrator accounts, application files, configuration settings, database contents, and indicators associated with web shell deployment.

It is also advisable to rotate administrative credentials, database credentials, API keys, integration tokens, and payment gateway credentials if compromise is suspected.

Beyond this specific vulnerability, organizations should regularly review third-party extensions, remove unused modules, and ensure supported versions are maintained across the Magento ecosystem.

How AppTrana Reduces Exposure to CVE-2026-45247

AppTrana helps protect against exploitation attempts associated with CVE-2026-45247 by detecting and blocking malicious requests containing PHP object injection and remote code execution patterns. It also provides continuous traffic monitoring and managed virtual patching capabilities, helping organizations reduce exposure to active attacks while applying the required security updates.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.

Deepak
Deepak Kumar Choudhary

Deepak Choudhary is an adept Security Researcher at Indusface. He specializes in developing detection logic and signatures to identify various security vulnerabilities, including 0-day vulnerabilities, making him a frontline defender of digital environments.Driven by his passion for cyber defense, He continuously seeks to expand his knowledge of security concepts. He eagerly tackles the task of resolving vulnerable systems on platforms such as TryHackMe and HackTheBox, sharpening his skills in real-world scenarios. Through his expertise and dedication, he is committed to fortifying digital landscapes, ensuring a safer online experience for users and organizations alike.