Critical Magento Cache Plugin Flaw Allows RCE Attacks

A critical security vulnerability has been uncovered in a widely used Magento caching plugin. This flaw allows attackers to remotely execute malicious code, requiring no login, configuration changes, or administrative access.

Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and Adobe Commerce storefronts.

The vulnerability, tracked as CVE-2026-45247, carries a maximum-severity CVSS score of 9.8 (Critical).

Magento Cache Plugin Vulnerability

Mirasvit Cache Warmer is designed to preload cached versions of store pages for different visitor types, varying by currency, customer group, and other session states.

To do this, it packs session details into a cookie and sends them with each crawl request. On the server side, a plugin reads that cookie and adjusts the session accordingly before rendering the page.

The critical problem: the plugin passes part of that cookie value directly to PHP’s native unserialize() function, with no class restrictions and no authentication checks.

Because the cookie value is entirely client-side, an attacker can craft it to inject arbitrary PHP objects. This is known as PHP Object Injection (CWE-502).

When combined with a gadget chain, malicious logic built from classes already bundled within Magento and its dependencies, this object injection escalates directly into Remote Code Execution (RCE).

The attack fires on every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target.

All versions of Mirasvit Cache Warmer before 1.11.12 are vulnerable. The extension ships bundled inside several other Mirasvit packages, meaning many merchants may be running it without realizing it.

Sansec’s scanning found approximately 6,000 stores running Mirasvit extensions, with the actual number likely far higher, as CDNs like Cloudflare mask many installations from external fingerprinting.

The exploit leaves a recognizable trail in web logs. Security teams should watch for storefront requests carrying a CacheWarmer cookie whose value begins with CacheWarmer: followed by a base64 string.

Serialized PHP objects typically base64-encode to strings starting with Tz, Qz, or YT — making the pattern CacheWarmer:(Tz|Qz|YT) a strong indicator of an active exploitation attempt.

Mitigations

Mirasvit released the patched version 1.11.12 on May 25, 2026, within days of being notified. Store owners should act immediately:

Update now:  Upgrade Mirasvit Cache Warmer to version 1.11.12 or later.

Block attacks: Deploy a web application firewall capable of blocking serialization-based exploit attempts.

Scan for compromise: Check for webshells, backdoors, or unexpected PHP files in pub/ and other web-accessible directories.

Audit installed packages: Confirm whether Cache Warmer is bundled inside other Mirasvit modules on your store.

Sansec’s Shield customers were already protected from April 24, 2026, the same day the flaw was discovered. The CVE was formally assigned on May 26, 2026.

Given that exploitation requires zero authentication and can be fully automated, unpatched stores remain at serious risk of full server compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.