External risk intelligence

Mirasvit Cache Warmer PHP Object Injection Remote Code Execution.

CVE advisoryKnown Exploit

CVE-2026-45247

A PHP object injection vulnerability exists in Mirasvit Full Page Cache Warmer for Magento 2, allowing unauthenticated attackers to execute arbitrary code remotely by sending a crafted serialized PHP object in a cookie. This exploit leverages unrestricted calls to PHP's `unserialize()` function, potentially leading to

5Halo Surface Signal

Deserialization

Mirasvit Full Page Cache Warmer

before 1.11.12

External exposure likelihood

Halo Surface Signal score for CVE-2026-45247

The vulnerability affects an extension for Magento 2, an e-commerce platform that is publicly accessible by design to allow internet users to browse and shop. Because the vulnerability is triggered via a standard HTTP cookie on public-facing storefront pages, it is reachable without authentication in normal public deployments.

PCI scan relevance

PCI Relevance for CVE-2026-45247

Yes

CVE-2026-45247 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated remote code execution, which would likely cause a PCI scan failure and requires remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Mirasvit Full Page Cache Warmer for Magento 2, allowing unauthenticated attackers to execute arbitrary code on servers. This issue stems from a PHP object injection flaw that can be triggered through a crafted cookie, potentially leading to significant compromise of affected systems.

Website caching extension vulnerable to code execution.
Executive concern: Confirm exposure and impact.
Risk of unauthorized server access.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending a specially crafted serialized PHP object within the CacheWarmer cookie to a Magento 2 website that uses the Mirasvit Full Page Cache Warmer extension. This allows them to execute arbitrary code on the server, potentially leading to a full system compromise.

No authentication required to trigger.
Triggered via the CacheWarmer cookie.
Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact the integrity and availability of Magento 2 e-commerce sites by allowing unauthenticated attackers to execute arbitrary code on the server. This could occur when an attacker supplies a specially crafted serialized PHP object within the `CacheWarmer` cookie, exploiting the unrestricted call to PHP's `unserialize()` function. The consequences could include the complete compromise of the e-commerce server.

Server code execution.
Via crafted cookie data.
E-commerce server compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 likely falls under the responsibility of the application or platform team managing the Magento instance, with coordination from the security team for exposure assessment. The immediate first step is to identify all deployments of the affected extension, confirm their accessibility from the internet, and determine their business criticality to prioritize remediation efforts with the Mirasvit vendor.

Application/platform team owns remediation.
Verify internet reachability and business impact.
Coordinate with Mirasvit for patch deployment.

Frequently asked questions

What is the vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 and how is it exploited?

Mirasvit Full Page Cache Warmer for Magento 2, prior to version 1.11.12, contains a PHP object injection vulnerability. Attackers can exploit this by sending a crafted serialized PHP object in the CacheWarmer cookie to achieve remote code execution on the server. This exploits an unrestricted call to PHP's unserialize() function.

What weakness class does CVE-2026-45247 represent?

CVE-2026-45247 is categorized under CWE-502, which signifies 'Deserilization of Untrusted Data'. This means the vulnerability occurs when an application deserializes data from an untrusted source, potentially allowing an attacker to inject malicious objects into the deserialized data.

How can an attacker trigger the vulnerability in Mirasvit Full Page Cache Warmer, and what is the scope of impact?

An unauthenticated attacker can trigger this vulnerability by supplying a crafted serialized PHP object within the CacheWarmer cookie. The vulnerability allows for remote code execution, meaning an attacker can run arbitrary code on the server without needing any prior authentication or privileges, potentially leading to a full system compromise.

What is the relevance of the Halo Surface Signal score for CVE-2026-45247?

Halo assigns a 'Very likely' score (5 out of 5) to this vulnerability. This is because it affects an extension for Magento 2, an e-commerce platform that is inherently publicly accessible. The vulnerability is triggered via a standard HTTP cookie on public-facing pages, making it reachable without authentication during normal public operations.

What practical steps should be taken to address the Mirasvit Full Page Cache Warmer vulnerability?

The application or platform team managing the Magento instance is responsible for remediation. This involves identifying all deployments of the affected extension, confirming their internet accessibility, and assessing their business criticality to prioritize patching with the Mirasvit vendor. Applying mitigations provided by the vendor is the recommended course of action.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.