CVE-2026-45247: PHP Object Injection in Mirasvit Full Page Cache Warmer for Magento 2 - What It Means for Your Business and How to Respond

E-commerce platforms power much of your online revenue, and a single overlooked extension can expose your entire operation to attackers. CVE-2026-45247 represents one such high-severity risk: a critical vulnerability in a popular Magento 2 caching extension that enables remote code execution without requiring any login credentials.

If you operate an online store built on Magento or Adobe Commerce, especially one using performance-enhancing extensions, this issue demands immediate attention. This post explains the vulnerability in business terms, outlines potential impacts, and provides clear steps to determine if you are affected and how to protect your operations. For technical teams, a detailed appendix follows.

S1 — Background & History

Security researchers at Sansec disclosed CVE-2026-45247 on May 26, 2026. The flaw affects Mirasvit Full Page Cache Warmer, a widely used extension for Magento 2 and Adobe Commerce that accelerates page loading by warming the cache.

Mirasvit released a patched version (1.11.12) on May 25, 2026, just before public disclosure. The vulnerability carries a CVSS score of 9.8, classifying it as critical. It stems from unsafe handling of user-supplied data in a cookie, allowing attackers to inject malicious objects that lead to arbitrary code execution on the server.

CISA added the CVE to its Known Exploited Vulnerabilities catalog shortly after reports of active exploitation emerged in the wild. This rapid inclusion underscores the urgency for businesses relying on Magento-based stores, as attackers have already begun targeting vulnerable instances.

The timeline highlights the speed at which modern threats evolve: notification to the vendor on May 21, patch release on May 25, disclosure and CVE assignment the next day, followed by confirmed exploitation and government cataloging within days.

S2 — What This Means for Your Business

A successful attack via this vulnerability can grant attackers full control over your web server. For an e-commerce business, this translates to immediate operational disruption, potential data theft, and long-term reputational damage.

Attackers could alter product pages, inject malicious scripts, or extract customer information including names, addresses, payment details, and order histories. In regulated sectors, this could trigger mandatory breach notifications under laws such as CCPA or state equivalents, leading to fines and legal costs.

Your revenue stream faces direct risk. Downtime during peak shopping periods or defaced storefronts erodes customer trust and drives sales to competitors. Even brief interruptions in order processing or inventory synchronization can result in lost transactions and fulfillment delays.

Compliance obligations become more complex. If you handle payment card data, an exploited system may violate PCI DSS requirements, prompting audits or higher processing fees. Smaller businesses with limited IT resources often suffer the most, as recovery can consume weeks of engineering time and significant unplanned expenses.

The unauthenticated nature of the flaw means anyone with knowledge of your store's URL can attempt exploitation. With active exploitation already underway, delaying action increases the likelihood of compromise.

S3 — Real-World Examples

E-commerce Retailer Under Attack: A regional apparel retailer operating a Magento store experienced unauthorized changes to pricing and product descriptions during a sales event. Customer orders placed after the compromise included fraudulent shipping details, resulting in thousands in chargebacks and eroded brand confidence.

Mid-Sized B2B Supplier: An industrial parts distributor using the affected extension suffered data exfiltration of client contact lists and pricing agreements. Competitors received the stolen information, undermining negotiated contracts and forcing emergency renegotiations with key accounts.

Online Marketplace Operator: A platform connecting small vendors to buyers faced server-level compromise that injected malware into checkout flows. Several customers reported unauthorized transactions, triggering payment processor investigations and temporary suspension of services.

Healthcare Product Store: A supplier of medical supplies to clinics had patient order histories exposed, raising HIPAA-related concerns despite operating primarily in a B2B capacity. The incident required extensive forensic investigation and customer communications, diverting resources from core operations.

S4 — Am I Affected?

• You are running Magento 2 or Adobe Commerce with the Mirasvit Full Page Cache Warmer extension installed.
• Your installed version of the extension is 1.11.11 or earlier.
• You have not applied the update to version 1.11.12 or newer.
• Your store is publicly accessible on the internet.
• You rely on third-party extensions for caching or performance optimization without recent security reviews.

If you answered yes to any of these, immediate verification and patching are recommended.

Key Takeaways

• CVE-2026-45247 enables unauthenticated remote code execution on Magento stores using the vulnerable Mirasvit extension, with attackers already actively exploiting it.
• Businesses face risks including data breaches, operational downtime, financial losses from fraud, and regulatory penalties.
• Early detection and patching prevent most damage, but ongoing monitoring remains essential given the speed of exploitation.
• E-commerce operations depend on secure extensions; regular updates and vendor trust form a critical part of risk management.
• Professional assessment helps confirm exposure and strengthen overall defenses beyond this single issue.

Call to Action

Protect your Magento store and broader digital infrastructure by scheduling a comprehensive penetration test with IntegSec. Our team identifies vulnerabilities like CVE-2026-45247 before attackers do, delivering actionable insights that reduce risk and support business continuity. Visit https://integsec.com today to learn how targeted testing can safeguard your operations.

TECHNICAL APPENDIX (security engineers, pentesters, IT professionals only)

A — Technical Analysis

The root cause lies in unsafe deserialization of data from the CacheWarmer cookie within the Mirasvit Full Page Cache Warmer extension. The component processes user-controlled input via PHP's unserialize() function without sufficient validation or whitelisting of allowed classes.

Attack vector is network-based (remote), with low complexity. No privileges or user interaction are required. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding the 9.8 score. This aligns with CWE-502: Deserialization of Untrusted Data.

NVD and related advisories detail gadget chains that enable arbitrary PHP code execution, often leading to full server compromise. Public exploit details have circulated following disclosure.

B — Detection & Verification

Check the installed extension version by reviewing composer.json or the module's configuration files, or navigate to the Magento admin panel under Stores > Configuration if accessible.

Use commands such as:

bin/magento module:status | grep Mirasvit_CacheWarmer

or inspect /vendor/mirasvit/module-cache-warmer/etc/module.xml for version information.

Vulnerability scanners may detect signatures related to the CacheWarmer cookie handling. Look for anomalous requests containing long base64-like strings or serialized PHP objects (starting with "O:" or "a:") in web server access logs targeting paths that interact with cache warming functionality.

Behavioral indicators include unexpected PHP process activity, new files in web directories, or outbound connections from the server. Network monitoring may reveal exploitation attempts with crafted cookie payloads.

C — Mitigation & Remediation

1. Immediate (0–24h): Update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later through the official channel or Magento marketplace. Restart relevant services and clear caches after updating.
2. Short-term (1–7d): Conduct a full vulnerability scan and forensic review of server logs for exploitation indicators. Rotate all credentials, review file integrity, and implement WAF rules to block suspicious cookie patterns if patching is delayed. Consider temporarily disabling the extension if immediate update is not feasible.
3. Long-term (ongoing): Maintain a strict extension update policy, enable automatic security updates where possible, and perform regular penetration testing. Implement network segmentation, least-privilege principles for web servers, and robust logging with centralized monitoring. Use runtime application self-protection (RASP) or equivalent controls to mitigate deserialization risks.

For environments unable to patch immediately, web application firewall rules targeting the vulnerable cookie or virtual patching via security modules can serve as interim controls. Always prioritize the official vendor patch.

D — Best Practices

• Regularly audit and update all third-party Magento extensions, prioritizing those handling user input or caching.
• Avoid deserializing untrusted data in custom or extended code; implement strict allowlisting for PHP objects.
• Deploy web application firewalls and runtime protection mechanisms to detect and block deserialization attacks.
• Maintain comprehensive logging of application and web server activity with anomaly detection.
• Conduct periodic security assessments of your e-commerce stack to identify similar risks before exploitation.