TP-EXP-2026-0312 CVE-2026-45247 critical Patched AI Draft

Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability (CVE-2026-45247)

CVE CVE-2026-45247 Platform Mirasvit Mirasvit Full Page Cache Warmer for Magento 2 Type Remote Code Execution

Severity CRITICAL

Status Patched

Zero-Day Confirmed

Disclosed May 26, 2026

Patched May 25, 2026

Researcher Unknown CISA KEV Listed

Severity Assessment

Exploitability: 10/10 — NVD scores CVE-2026-45247 at CVSS 3.1 9.8 (CRITICAL) with an unauthenticated remote attack path and low complexity.
Impact: 10/10 — Successful exploitation allows arbitrary code execution through insecure deserialization behavior.
Weaponization Risk: 8/10 — Publicly available remediation notes confirm the flaw in session-cookie deserialization paths before version 1.11.12, and exploit conditions are directly described as unauthenticated remote abuse.
Patch Urgency: 10/10 — The issue is in CISA KEV with a mandated remediation due date, and a patch version is identified.
Detection Coverage: 5/10 — Logs and deployment hygiene checks can detect suspicious behavior, but stable IOC sets are not widely publicized.

Summary

CVE-2026-45247 is a deserialization-of-untrusted-data flaw in Mirasvit Full Page Cache Warmer for Magento 2. NVD describes the vulnerability as PHP object injection in session cookie deserialization that can be triggered by an unauthenticated attacker providing a crafted serialized object in the CacheWarmer cookie. The advisory path indicates the vulnerability can lead to remote code execution.

Mirasvit fixed the issue in release 1.11.12. Affected versions are those up to (but excluding) 1.11.12. The flaw is classified as CWE-502.

The vulnerability is listed in CISA KEV. CISA-added metadata indicates the required response window and supports urgent patching or equivalent mitigations.

Exploit Chain

Stage 1: Reach an exposed Magento extension endpoint

An internet-facing Magento 2 environment using an unpatched Mirasvit Full Page Cache Warmer extension can be reached over the network with no pre-authenticated session required.

Stage 2: Deliver crafted serialized input

Attackers supply a crafted serialized PHP object into the CacheWarmer session-cookie pathway.

Stage 3: Trigger unsafe deserialization

The vulnerable code path performs a permissive or unsafe deserialization process, creating gadget-chain opportunities with existing Magento and dependency objects.

Stage 4: Execute arbitrary server-side code

The deserialization flaw allows code execution conditions that can be used for unauthorized command execution or deeper host compromise.

Detection Guidance

Validate inventory and patch level for Magento 2 instances using Mirasvit Full Page Cache Warmer; verify all are on version 1.11.12 or later.
Search web-server and PHP application logs for abnormal patterns in cache-warmer session cookie values tied to deserialization or object-related warnings.
Review application exception logs for spikes in warnings before and after warm-up activity where crafted payload-like payload markers appear.
Segment and harden management planes for Magento infrastructure so cache-warmer or warm-up routes are not broadly exposed without strict ACLs.
Run immediate incident-response triage if unexpected admin-side changes, shell activity, or unknown scheduler/cron behavior appears after suspicious traffic.

Indicators of Compromise

Public sources do not publish stable malware, domain, or hash indicators specific to this CVE.

Operational indicators may include:

Unusually malformed or non-standard CacheWarmer cookie values in application logs.
Unexpected PHP deserialization warnings or warnings involving session-cookie handling.
Sudden admin-privileged or process-level behavior changes on Magento application hosts running unpatched versions.
Anomalous outbound or scheduled tasks appearing shortly after cache-warmer warm-up windows.

Disclosure Timeline

2026-05-25 — Mirasvit released 1.11.12 fix

Mirasvit changelog entries for module full_page_cache_warmer show a fix entry for PHP Object Injection vulnerability in session cookie deserialization and associated warning cleanup in version 1.11.12.

2026-05-26 — CVE published with impact details

NVD published CVE-2026-45247 details with CVSS 3.1 score 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-502 classification.

2026-06-03 — CISA KEV inclusion

CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog, with a required action date of 2026-06-06.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-03
National Vulnerability Database: CVE-2026-45247 — National Vulnerability Database, 2026-05-26
Mirasvit: Full Page Cache Warmer changelog — Mirasvit, 2026-05-25