Invaders
Back to Blog
INVADERS
BlogGet Protected
  1. Home
  2. Blog
  3. Cloud & Application Security
  4. CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores
Cloud & Application Security

CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores

Lucas OliveiraLucas OliveiraResearch
June 7, 2026·5 min read

Summarize with:

ChatGPTClaudePerplexityGoogle AI
CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores

Share

CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores

Executive Summary

CVE-2026-45247 is a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. Public reporting says the bug can let unauthenticated attackers send a crafted CacheWarmer cookie that reaches PHP deserialization and can lead to remote code execution on exposed storefronts. The issue is more urgent because CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 3, 2026, confirming active exploitation concerns rather than a purely theoretical bug.

For defenders, this is a high-priority edge application problem. The weakness sits in a public-facing e-commerce path, requires no login, and affects a plugin that some stores may inherit through broader Mirasvit packages. If attackers land code execution on a Magento host, the follow-on exploit path can include webshell deployment, payment-page tampering, customer-data exposure, and deeper compromise of adjacent systems.

What happened

Sansec disclosed the flaw on May 26, 2026 after reporting it privately to Mirasvit. According to the advisory, vulnerable versions of Cache Warmer process attacker-controlled serialized data from the CacheWarmer cookie. With a suitable gadget chain, that input can be converted into code execution on the server.

The public timeline is short and important:

  • April 24, 2026: Sansec discovered the vulnerability and deployed a protective Shield rule
  • May 21, 2026: Mirasvit was notified
  • May 25, 2026: Mirasvit released a patched version, 1.11.12
  • May 26, 2026: CVE-2026-45247 was assigned and publicly disclosed
  • June 3, 2026: CISA added the issue to the KEV catalog

That sequence matters because it means patch details and exploit logic have likely become easier for attackers to study. Once a deserialization flaw in a public storefront component is understood, scanning and mass exploitation can scale quickly.

Why this matters for Magento and Adobe Commerce teams

1. The attack lands through normal storefront traffic

This is not an admin-only weakness. The reported attack vector uses a cookie on storefront requests, so exposed web nodes, WAF policies, and application logging all become part of the detection and containment story.

2. Some merchants may not realize the component is installed

Sansec noted that Cache Warmer is bundled with several Mirasvit packages. That increases the chance of hidden exposure, especially in stores with older extension bundles, inherited agency builds, or weak software inventory discipline.

3. Commerce compromises rarely stop at one host

If an attacker reaches code execution on the app tier, the next steps often target skimmers, admin credential theft, cron persistence, or staging points for broader lateral movement. This is where segmentation, hardened admin access, and strong incident response discipline matter more than a simple patch-only mindset.

Affected versions and fix

NVD describes the flaw as affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. Mirasvit's own changelog confirms the fixed branch was released on May 25, 2026. Any merchant or service provider running an earlier build should treat the store as potentially exposed until verified otherwise.

Because some teams manage multiple storefronts and packaged extension sets, it is worth checking all production, staging, and disaster-recovery environments instead of validating only the main revenue site.

Immediate actions to take

Patch to 1.11.12 or later

Upgrade the Cache Warmer extension immediately. If the plugin is included through a broader package, verify the exact installed module version instead of assuming the meta-package resolved it correctly.

Hunt for suspicious CacheWarmer cookie activity

Sansec highlighted a useful detection clue: malicious requests may include a CacheWarmer: prefix followed by a base64-encoded serialized payload. Review reverse-proxy, CDN, WAF, and origin logs for abnormal cookie values, especially ones beginning with patterns associated with serialized PHP objects.

Look for post-exploitation changes

Check for unexpected PHP files in web-accessible directories, suspicious cron entries, unusual outbound connections, modified payment templates, or admin-side persistence. Remote code execution on a commerce node should trigger full compromise assessment, not just a patch-and-move-on workflow.

Tighten administrative exposure and east-west access

Limit admin panels, SSH, database access, and internal services reachable from the application tier. Strong network segmentation and strict access control reduce how far a storefront compromise can spread.

Validate third-party monitoring and integrity controls

If the environment already uses file-integrity monitoring, CSP reporting, payment-page monitoring, or external store scanners, review recent alerts around the disclosure window. For Magento teams, the real damage often shows up after initial access, not during it.

Detection ideas for security teams

Start with three questions:

  1. Was the vulnerable extension present anywhere in production or staging?
  2. Did any edge logs capture suspicious CacheWarmer cookie values before patching?
  3. Is there any evidence of follow-on payloads, file writes, or credential abuse after web requests touching the affected plugin?

A lightweight hunt can combine WAF logs, origin logs, EDR telemetry, and file-integrity events for the same host group. Teams should also compare timestamps around the public disclosure date and the June 3, 2026 KEV addition, because those moments often drive opportunistic scanning spikes.

Strategic takeaway

CVE-2026-45247 is the kind of bug that turns a performance-oriented extension into an emergency attack surface. The lesson is not only "patch faster." It is also that e-commerce stacks need tighter component inventory, better extension governance, and clearer incident playbooks for third-party modules running on internet-facing revenue systems.

When a public storefront plugin moves into KEV territory, the right response is to treat it like an active intrusion risk: patch, hunt, validate integrity, and assume the attacker may try to persist beyond the original request path.

References

References

  1. Sansec: Critical vulnerability in Mirasvit Cache Warmer for Magento
  2. NVD: CVE-2026-45247
  3. CISA KEV mirror: known_exploited_vulnerabilities.json
  4. Mirasvit Cache Warmer changelog
Tags:
CVE
vulnerability
Magento
Remote Code Execution
Adobe Commerce
L

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.

Hot TopicsLast 7 days
1
#Authentication Bypass
13p
2
#AI Security
11p
3
#Account Takeover
7p
4
#Active Exploitation
4p
5
#Access Control
3p
View all tags →
Categories14
All Articlesvulnerability36Threat Hunting & Intel20Cybercrime6Cloud & Application Security5
Stay Updated

Get the latest cybersecurity insights in your inbox.

You Might Also Like

More in Cloud & Application Security →
CVE-2026-45829: ChromaDB Pre-Auth RCE Risk in AI StacksCloud & Application Security

CVE-2026-45829: ChromaDB Pre-Auth RCE Risk in AI Stacks

CVE-2026-45829: ChromaDB Pre-Auth RCE Risk in AI Stacks | 2026 Executive Summary CVE-2026-45829 is a critical ChromaDB flaw that can let unauthenticated attacke...

Lucas OliveiraMay 207m
LiteLLM SQL injection flaw puts AI gateways on the front lineCloud & Application Security

LiteLLM SQL injection flaw puts AI gateways on the front line

LiteLLM SQL injection flaw puts AI gateways on the front line CVE-2026-42208 matters because it turns an AI gateway into a high-value choke point for attackers....

Lucas OliveiraMay 115m
Vishing and SSO abuse are accelerating rapid SaaS extortionCloud & Application Security

Vishing and SSO abuse are accelerating rapid SaaS extortion

Vishing and SSO abuse are accelerating rapid SaaS extortion The most dangerous part of modern SaaS intrusions is not always malware. Sometimes it is speed, trus...

Lucas OliveiraMay 55m
INVADERS

Providing enterprise-grade cybersecurity solutions to protect organizations from evolving digital threats.

FacebookTwitterLinkedIn

Services

  • Web App Vulnerability Reports
  • Threat Hunting & Intelligence
  • Cybercrime & APT Tracking
  • Incident Response & Remediation

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Security Policy

Company

  • About Us
  • Careers
  • Blog
  • Press

© 2026 Invaders Cybersecurity. All rights reserved.

PrivacyTermsCookies