Unauthenticated RCE in Mirasvit Full Page Cache Warmer for Magento 2 (CVE-2026-45247)
by Sansec (discovery/writeup); fevar54 (PoC) · 2026-07-01
- Severity
- Critical
- CVE
- CVE-2026-45247
- Category
- web
- Affected product
- Mirasvit Full Page Cache Warmer extension for Magento 2
- Affected versions
- Prior to 1.11.12
- Disclosed
- 2026-07-01
- Patch status
- unpatched
Tags
References
- https://sansec.io/research/mirasvit-cache-warmer-object-injection
- https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/
- https://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.html
- https://github.com/fevar54/PoC-Funcional---CVE-2026-45247-Mirasvit-Full-Page-Cache-Warmer-RCE-
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-01 |
| Last Updated | 2026-06 |
| Author / Researcher | Sansec (discovery/writeup); fevar54 (PoC) |
| CVE / Advisory | CVE-2026-45247 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.3 (CVSSv3) |
| Status | Weaponized |
| Tags | php-object-injection, insecure-deserialization, RCE, Magento, Mirasvit, e-commerce, cookie-based, unauthenticated, CISA-KEV, active-exploitation |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Mirasvit Full Page Cache Warmer extension for Magento 2 |
| Versions Affected | Prior to 1.11.12 |
| Language / Platform | PHP (target); Python (PoC) |
| Authentication Required | No |
| Network Access Required | Yes (HTTP to Magento storefront) |
Summary
CVE-2026-45247 is a PHP object injection / insecure deserialization vulnerability in Mirasvit’s Full Page Cache Warmer extension for Magento 2. The extension processes attacker-controlled data from the CacheWarmer cookie and passes it directly to PHP’s native unserialize() without adequate restriction. Because the cookie is client-controlled and the vulnerable code path is reachable on ordinary storefront requests, an unauthenticated attacker can supply a crafted serialized PHP object and, by chaining gadgets present in Magento and its dependencies (including a Monolog gadget chain), turn the unsafe deserialization into arbitrary code execution. CISA added this to KEV following confirmed active exploitation.
Vulnerability Details
Root Cause
The CacheWarmer cookie value is base64-decoded and passed to unserialize() without validating that the resulting object graph is safe, allowing PHP object injection via gadget chains reachable from Magento’s dependency tree.
Attack Vector
- Perform reconnaissance against a target Magento storefront to confirm Mirasvit Full Page Cache Warmer is installed.
- Construct a malicious serialized PHP object (Monolog gadget chain) that, once instantiated, achieves command execution via a
php://filterstream wrapper. - Base64-encode the serialized payload and set it as the
CacheWarmercookie value on a normal storefront request. - The extension deserializes the cookie, triggering the gadget chain and executing the attacker’s command.
Impact
Unauthenticated remote code execution on the Magento server hosting the vulnerable extension.
Environment / Lab Setup
Target: Magento 2 store with Mirasvit Full Page Cache Warmer < 1.11.12
Attacker: Python 3 + requests
Proof of Concept
PoC Script
See
CVE-2026-45247.py(exploit) andverify.sh(version detection) in this folder.
| |
Performs Magento path reconnaissance, constructs a malicious CacheWarmer cookie with a base64-encoded serialized PHP object (Monolog gadget chain), and executes arbitrary commands via php://filter stream wrappers.
Detection & Indicators of Compromise
Signs of compromise:
- Unexpected outbound connections or file writes originating from the Magento web process
- Storefront requests with abnormal
CacheWarmercookie payloads - New/unexplained admin users or scheduled tasks on the Magento instance
Remediation
| Action | Detail |
|---|---|
| Primary fix | Update Mirasvit Full Page Cache Warmer to 1.11.12 or later |
| Interim mitigation | Strip/reject the CacheWarmer cookie at a WAF/reverse-proxy layer if immediate patching isn’t possible |
| Cleanup | Audit for unauthorized admin accounts, cron jobs, and file modifications if compromise is suspected |
References
- Sansec — Mirasvit Cache Warmer object injection
- Imperva — CVE-2026-45247 customer protection notice
- The Hacker News — CISA Adds Exploited Magento RCE Flaw
- Source repository (fevar54)
Notes
Auto-ingested from https://github.com/fevar54/PoC-Funcional---CVE-2026-45247-Mirasvit-Full-Page-Cache-Warmer-RCE- on 2026-07-01.
| |