






















Sansec discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted CacheWarmer cookie reaches PHP's native unserialize() on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this leads to remote code execution.
The flaw is tracked as CVE-2026-45247, rated 9.8 (critical). Mirasvit released a patched version (1.11.12) on May 25, 2026 and is asking all customers to update.
Sansec Shield customers were protected on April 24, 2026, the day we found the flaw.
Mirasvit Cache Warmer pre-populates Magento's full-page cache for every "vary" state of a page (currency, customer group, and so on). To render a page as a specific visitor, the warmer packs the target session state into a cookie and sends it with each crawl request. On the server, a plugin reads that cookie and switches currency and customer session to match before rendering.
The plugin runs on every storefront request, not just on warmer traffic.
The extension deserializes part of the cookie value with PHP's native unserialize(), without restricting which classes may be instantiated. Because that value comes straight from the client, an attacker controls the objects PHP reconstructs. This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution.
All Mirasvit Cache Warmer versions before 1.11.12 are vulnerable. The extension is bundled with several Mirasvit packages, so many merchants run it without having installed it directly.
Sansec scans found roughly 6,000 stores running Mirasvit extensions. Real numbers are likely higher, since content delivery networks such as Cloudflare hide many installs from our fingerprinting.
The attack leaves a clear request signature. Look for storefront requests that carry a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string. Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.
pub/ and other web-reachable folders for unexpected PHP files.| Date | Event |
|---|---|
| April 24, 2026 | Sansec discovers the vulnerability |
| April 24, 2026 | Sansec Shield rule deployed |
| May 21, 2026 | Mirasvit notified |
| May 25, 2026 | Mirasvit releases patched version 1.11.12 |
| May 26, 2026 | CVE-2026-45247 assigned (9.8 critical) |
| May 26, 2026 | This advisory published |
Mirasvit responded fast, shipping a fix within days of our report. Merchants should update without delay: the flaw needs no authentication, fires on ordinary storefront traffic, and the request signature is trivial for attackers to automate once the patch reveals the fix.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。