Mirasvit FPC Warmer RCE exploited in wild (CVE-2026-45247)

Actively exploited in the wild - CVE-2026-45247 is a critical PHP object injection vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 that lets unauthenticated attackers achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Patched in version 1.11.12 - update immediately.

Overview

CVE-2026-45247 affects the Mirasvit Full Page Cache Warmer extension for Adobe Magento 2 (formerly Magento Commerce). The vulnerability resides in the extension’s handling of the CacheWarmer cookie, where user-supplied data is passed directly to PHP’s native unserialize() function without any sanitization or validation.

An attacker can exploit this by sending a specially crafted HTTP request containing a malicious serialized PHP object in the CacheWarmer cookie header. Combined with available gadget chains present in Magento 2 and its PHP dependencies, this leads to arbitrary code execution on the web server.

The vulnerability has a CVSS 9.8 (Critical) with a NETWORK attack vector, LOW attack complexity, and requires no authentication or user interaction. CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation against unpatched instances.

Despite the high severity and active exploitation, the EPSS (Exploit Prediction Scoring System) probability is only 0.1% over the next 30 days. This indicates that while exploitation is confirmed, it is not yet widespread or automated at scale.

Affected Versions

• Mirasvit Full Page Cache Warmer for Magento 2 versions before 1.11.12
• Magento 2 instances running the vulnerable extension

Remediation and Mitigation

Immediate action: Upgrade Mirasvit Full Page Cache Warmer to version 1.11.12 or later. This version removes the dangerous unserialize() call and implements safe deserialization practices.

If immediate patching is not possible:

• Restrict external access to Magento admin panels and storefronts
• Implement a web application firewall (WAF) rule to inspect the CacheWarmer cookie for serialized PHP objects
• Monitor server logs for unexpected unserialize() calls or abnormal PHP error patterns

Detection: Check for unusually long or encoded CacheWarmer cookie values in access logs. Look for PHP fatal errors related to deserialization or unexpected class instantiation.

Security Insight

This vulnerability highlights a recurring pattern in Magento ecosystem extensions: third-party plugins that handle user-supplied serialized data without proper validation. Unlike the Magento core, which has largely hardened its deserialization routines, extensions often lag behind in adopting safe PHP practices. The fact that this flaw is being actively exploited while EPSS remains low suggests targeted attacks rather than mass scanning operations - defenders should prioritize patch cycles for any extension that processes cookies, headers, or other client-controlled serialized data.

For related cybersecurity analysis, visit our security news. Data breach reports and incident timelines are available at breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs