Urgent: Critical Remote Code Execution Vulnerability in Mirasvit Magento Extension (CVE-2026-45247)

The cybersecurity landscape for e-commerce platforms has faced a significant uptick in sophisticated attacks targeting third-party extensions. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-45247. This flaw centers on the Mirasvit Full Page Cache Warmer extension, a popular tool used to optimize performance for Magento 2 and Adobe Commerce storefronts. With a CVSS severity score of 9.8 (Critical), this vulnerability presents an immediate and severe risk to online retailers worldwide.

What is CVE-2026-45247?

CVE-2026-45247 is an unauthenticated remote code execution (RCE) vulnerability that stems from insecure PHP object deserialization (CWE-502). The flaw resides in how the Mirasvit Full Page Cache Warmer extension processes the CacheWarmer cookie. In vulnerable versions, the extension passes the contents of this user-supplied cookie directly into PHP’s native unserialize() function without any form of validation or class whitelisting.

In PHP environments, the unserialize() function is notoriously dangerous when used on untrusted data. It allows an attacker to inject crafted serialized objects that, upon being processed by the server, trigger “magic methods” (such as __wakeup or __destruct). By carefully chaining these methods with other classes available in the Magento codebase—a technique known as a “gadget chain”—an attacker can achieve full arbitrary code execution on the underlying web server.

Affected Systems and Software

This vulnerability specifically impacts organizations using the Mirasvit Full Page Cache Warmer extension on the following platforms:

• Magento 2 (Open Source)
• Adobe Commerce (On-premise and Cloud)

The flaw affects all versions of the extension prior to 1.11.12. Because the extension is designed to improve site speed by pre-caching pages, it often requires high-level permissions within the web environment, making the impact of a successful breach even more significant.

Severity and Potential Impact

The CVSS score of 9.8 reflects the ease of exploitation and the total compromise of confidentiality, integrity, and availability. Since the attack can be launched as an unauthenticated user, no credentials or special access are required to exploit a vulnerable storefront.

Once an attacker gains remote code execution, the potential for damage is immense. Recent observations of active exploitation indicate that threat actors are primarily focused on:

• Digital Skimming: Injecting malicious JavaScript (Magecart-style) into checkout pages to steal customer payment card information and personally identifiable information (PII).
• Persistent Access: Deploying web shells to maintain a backdoor into the server even after patches are applied.
• Data Exfiltration: Accessing the Magento database to steal customer lists, order history, and administrative credentials.
• Lateral Movement: Using the compromised web server as a pivot point to attack other internal systems within the enterprise network.

Mitigation and Defensive Steps

Given that CVE-2026-45247 is being actively exploited in the wild, e-commerce administrators must prioritize remediation. The manufacturer, Mirasvit, has released an urgent patch to address this flaw.

1. Immediate Mandatory Update

Upgrade the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later immediately. This update replaces the insecure deserialization logic with safer data handling practices. Updates can be obtained via the Mirasvit customer portal or the Magento/Adobe Commerce Marketplace.

2. Web Application Firewall (WAF) Integration

While patching is the only permanent fix, organizations should configure their WAF (such as Akamai, Cloudflare, or AWS WAF) to block requests containing suspicious CacheWarmer cookies. Look for patterns indicative of serialized PHP objects, such as strings starting with O: or Base64-encoded equivalents (e.g., payloads starting with Tz or Qz).

3. Forensic Audit and Integrity Checks

Since this vulnerability is in the KEV catalog, any unpatched site should be treated as potentially compromised. Administrators should perform a comprehensive forensic audit, including:

• Scanning for new or modified .php files in the pub/media, var/, and generated/ directories.
• Reviewing administrative account logs for unauthorized creations or modifications.
• Checking for unauthorized outbound network connections from the web server.

4. Disable the Extension

If an immediate update is not feasible, the extension should be disabled or removed entirely from the Magento environment to close the attack vector until a secure version can be deployed.

For Joe’s Cybersecurity Blog, we strongly urge all Magento site operators to verify their extension versions today. A few minutes of maintenance can prevent a catastrophic data breach.