Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks
A critical PHP object injection vulnerability in the Mirasvit Cache Warmer plugin for Magento and Adobe Commerce allows unauthenticated attackers to achieve remote code execution.
A critical security vulnerability has been discovered in a widely used Magento caching plugin that allows attackers to remotely execute malicious code with no login, configuration changes, or admin access required. Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and Adobe Commerce storefronts. The vulnerability, tracked as CVE-2026-45247, carries a maximum-severity CVSS score of 9.8 (Critical).
Mirasvit Cache Warmer is designed to preload cached versions of store pages for different visitor types, varying by currency, customer group, and other session states. To do this, it packs session details into a cookie and sends them with each crawl request. On the server side, a plugin reads that cookie and adjusts the session accordingly before rendering the page. The critical problem is that the plugin passes part of that cookie value directly to PHP’s native unserialize() function, with no class restrictions and no authentication checks.
Because the cookie value is entirely client-side, an attacker can craft it to inject arbitrary PHP objects, a technique known as PHP Object Injection (CWE-502). When combined with a gadget chain—malicious logic built from classes already bundled within Magento and its dependencies—this object injection escalates directly into Remote Code Execution (RCE). The attack fires on every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target.
All versions of Mirasvit Cache Warmer before 1.11.12 are vulnerable. The extension is often bundled inside several other Mirasvit packages, meaning many merchants may be running it without realizing it. Sansec’s scanning found approximately 6,000 stores running Mirasvit extensions, though the actual number is likely higher, as CDNs like Cloudflare often mask installations from external fingerprinting.
The exploit leaves a recognizable trail in web logs. Security teams should monitor storefront requests carrying a 'CacheWarmer' cookie whose value begins with 'CacheWarmer:'. Serialized PHP objects typically base64-encode to strings starting with 'Tz', 'Qz', or 'YT', making the pattern 'CacheWarmer:(Tz|Qz|YT)' a strong indicator of an active exploitation attempt.
Mirasvit released the patched version 1.11.12 on May 25, 2026. Store owners are urged to update immediately, deploy a web application firewall capable of blocking serialization-based exploit attempts, and audit their systems for signs of compromise, such as unexpected PHP files in web-accessible directories. Sansec’s Shield customers were protected starting April 24, 2026, the same day the flaw was discovered.