{“lastseen”:”2026-05-29T20:05:08″,”description”:”**_TL;DR:_** _CVE-2026-45247_ _is a critical unauthenticated remote code execution (RCE) vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2. The flaw stems from unsafe PHP deserialization of attacker-controlled data supplied through the CacheWarmer cookie. Successful exploitation can allow attackers to execute arbitrary commands on vulnerable Magento and Adobe Commerce servers without authentication. Mirasvit released a fix in version 1.11.12 and organizations should update immediately._\\n\\n_Imperva customers are protected against exploitation attempts associated with CVE-2026-45247. Since disclosure, Imperva has observed active exploitation attempts containing serialized PHP object payloads designed to achieve remote code execution through PHP Object Injection gadget chains._\\n\\n## **About CVE-2026-45247**\\n\\nOn May 26, 2026, researchers at Sansec disclosed a critical vulnerability in Mirasvit Full Page Cache Warmer, a Magento and Adobe Commerce extension used to pre-populate and manage storefront cache content. The vulnerability was assigned CVE-2026-45247 and carries a CVSS score of 9.8.\\n\\nAccording to the advisory, the extension processes a client-supplied CacheWarmer cookie and passes attacker-controlled data directly into PHP\u2019s native unserialize() function without restricting which classes may be instantiated. Because the cookie is accepted on ordinary storefront requests, exploitation does not require authentication, administrative access, or any special configuration.\\n\\nSansec researchers found that attackers can leverage existing gadget chains present within Magento and its dependencies to escalate the vulnerability from PHP Object Injection (CWE-502) to full remote code execution. A single crafted cookie can ultimately allow arbitrary commands to be executed on the target server.\\n\\nThe vulnerability affects Mirasvit Full Page Cache Warmer versions prior to 1.11.12. Mirasvit released a patched version on May 25, 2026 and recommends all customers update immediately.\\n\\n## **What We ‘ve Seen**\\n\\nSince disclosure, Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via HTTP requests.\\n\\nObserved payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. Several requests leverage classes from the widely used Monolog logging library, including:\\n\\n * Monolog\\\\Handler\\\\SyslogUdpHandler\\n * Monolog\\\\Handler\\\\BufferHandler\\n * Monolog\\\\Handler\\\\FingersCrossedHandler\\n * Monolog\\\\Handler\\\\GroupHandler\\n\\n\\n\\nThe payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands designed to validate successful code execution, including:\\n \\n \\n echo PWNED_CVE2026_$(date +%s)\\n\\nand\\n \\n \\n sleep 5\\n\\nThese payloads are consistent with early-stage exploitation activity where attackers first verify vulnerability presence before deploying additional tooling, persistence mechanisms, webshells, or malware.\\n\\nSo far, observed attacks have primarily targeted **Gaming** and **Business** sites. The most targeted countries have been the **United States** , **United Kingdom** , **France** , and **Australia**.\\n\\nThe observed payloads suggest attackers are actively attempting to identify vulnerable Magento environments and validate remote command execution capabilities shortly after public disclosure.\\n\\n## **Mitigation and Protection**\\n\\nOrganizations using Mirasvit Full Page Cache Warmer should immediately upgrade to version **1.11.12** or later. Researchers noted that some organizations may be running the vulnerable component unknowingly because Cache Warmer can be bundled within other Mirasvit packages. Administrators should review installed Mirasvit modules and verify deployed versions.\\n\\nOrganizations should also review web server and application logs for suspicious CacheWarmer cookie values, particularly base64-encoded serialized object strings beginning with common PHP serialization markers. Because successful exploitation can lead to arbitrary code execution, potentially affected environments should be assessed for indicators of compromise, unauthorized file modifications, webshell deployment, and unexpected command execution activity.\\n\\nImperva customers are protected against exploitation attempts associated with CVE-2026-45247. Imperva Cloud WAF and WAF Gateway inspect malicious HTTP requests targeting vulnerable Magento components and can identify and block serialized object payloads, deserialization attempts, and remote code execution patterns before they reach vulnerable applications.\\n\\n## **Bottom Line**\\n\\nCVE-2026-45247 represents a highly critical threat to Magento and Adobe Commerce environments due to its unauthenticated nature and potential for full remote code execution. The vulnerability requires only a crafted cookie delivered through a normal storefront request, significantly lowering the barrier to exploitation. Organizations running Mirasvit extensions should verify whether Cache Warmer is installed, update immediately to version 1.11.12 or later, and review logs for signs of exploitation activity.\\n\\nImperva customers remain protected against exploitation attempts associated with this vulnerability. Imperva Cloud WAF and WAF Gateway identify and block malicious deserialization payloads, PHP Object Injection attempts, and remote code execution techniques commonly used to exploit this vulnerability. By inspecting HTTP requests before they reach backend applications, Imperva helps prevent exploitation attempts from reaching vulnerable systems while organizations work to identify affected installations and apply vendor patches.\\n\\nThe post Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento appeared first on Blog.”,”published”:”2026-05-29T18:16:18″,”modified”:”2026-05-29T18:16:18″,”type”:”impervablog”,”title”:”Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento”,”source”:””,”references”:””,”id”:”IMPERVABLOG:E4E2C1D23C9CF8EE01C3B384B9B152C9″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-45247″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.imperva.com\/blog\/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-29T20:05:08″,”description”:”**_TL;DR:_** _CVE-2026-45247_ _is a critical unauthenticated remote code execution (RCE) vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2. The flaw stems from unsafe…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,59,13,7,11,5],"class_list":["post-58421","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n