Am I vulnerable?
Affected versions
| Product |
Vulnerable range |
Fixed in |
| Mirasvit Full Page Cache Warmer for Magento 2 |
All versions before 1.11.12 |
1.11.12 (latest 1.11.13) |
The vulnerable code path is the extension's deserialization of the client-supplied CacheWarmer cookie. Any storefront running the module below 1.11.12 is exploitable by an unauthenticated remote attacker — no admin session, no user interaction.
Diagnostic commands (read-only)
- Composer (Magento root):
composer show mirasvit/module-cache-warmer. Vulnerable if the installed version is below 1.11.12.
- Magento CLI:
bin/magento module:status Mirasvit_CacheWarmer. Confirms the module is present and enabled; the CLI does not print a version, so pair it with the Composer check — an enabled module below 1.11.12 is vulnerable.
- Filesystem (any install method):
grep -R --include=composer.json -m1 '"version"' app/code/Mirasvit/CacheWarmer/ vendor/mirasvit/module-cache-warmer/ 2>/dev/null. Reads the module's metadata version directly.
- Log triage:
grep -aoiE 'CacheWarmer[=:](Tz|Qz|YT)[A-Za-z0-9+/=]*' /var/log/nginx/access.log* /var/www/*/var/log/*.log 2>/dev/null | head. Any match is an attempted (possibly successful) exploitation against this host — investigate for follow-on webshells.
Vulnerability
The flaw is a textbook PHP object injection (CWE-502, deserialization of untrusted data). The extension passes the client-controlled CacheWarmer HTTP cookie straight into PHP's native unserialize() with no allow-list of permitted classes. An unauthenticated attacker who supplies a crafted serialized object in that cookie can instantiate arbitrary objects and trigger "gadget chains" — sequences of already-loaded class methods that, when chained, reach a dangerous sink. On a Magento 2 stack the available gadgets are plentiful: Sansec, the firm that discovered the bug, traced the escalation to RCE through gadgets shipped by Magento and its dependencies, and Imperva attributed observed in-the-wild chains specifically to Monolog logging classes (SyslogUdpHandler, BufferHandler, FingersCrossedHandler, GroupHandler).
NVD scores it CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — network-reachable, low complexity, no privileges, no interaction. The decisive detail for triage is that the attack surface is a cookie on ordinary storefront requests, so it is reachable on any internet-exposed store without authentication. Public PoCs and gadget chains exist; the operational takeaway is that exploitation is commodity-grade, not theoretical. Sansec estimated roughly 6,000 stores running the extension, likely an undercount given CDN masking.
Threat model
Who would exploit this: The unauthenticated, no-config RCE vector on internet-exposed Magento storefronts makes this attractive to financially motivated criminal operators rather than targeted state actors. The most likely operators are web-skimmer (Magecart) crews, for whom Magento checkout pages are the classic payment-card monetization target, alongside opportunistic mass-scanning criminals and initial-access brokers who commodify the foothold for resale. Confirmed exploitation to date has been early-stage validation activity from unattributed actors, consistent with broad, indiscriminate scanning rather than a single named group.
What they're after:
- Payment-card skimmer injection into the checkout flow (Magecart-style live card capture) — the primary monetization path for compromised Magento stores
- Exfiltration of the customer database and PII (names, addresses, emails, order history)
- Webshell or backdoor deployment for persistence and resale as initial access
- Foothold sold on via an initial-access broker
- Cryptomining on the compromised host (opportunistic, lower likelihood)
Attack chain: An attacker mass-scans the internet for Magento storefronts running the Mirasvit Cache Warmer extension, then sends an ordinary storefront request carrying a crafted CacheWarmer cookie that triggers insecure deserialization, gaining code execution as the web-server user without authentication. Observed early-stage activity has used the foothold to confirm the vulnerability (benign echo markers and sleep timing checks) before deploying additional tooling. From there, operators typically inject a card skimmer into the checkout flow or drop a webshell for persistent access.
Blast radius: Code execution as the web user on a live storefront exposes the full checkout payment flow, enabling real-time interception of card data as customers enter it, plus read access to the customer PII and order database. The same foothold commonly yields Magento admin credentials, payment-gateway API keys, and database connection secrets stored in app configuration, and provides a pivot point toward the backing DB server and any adjacent or shared-hosting systems.
Mitigation
Patch
Upgrade the Composer package to the fixed release. This is the only vendor-stated fix — there is no standalone hotfix or config flag from Mirasvit.
composer require mirasvit/module-cache-warmer:^1.11.13
bin/magento setup:upgrade && bin/magento cache:flush
| Product |
Fixed version |
Released |
| Mirasvit Full Page Cache Warmer for Magento 2 |
1.11.12 (changelog: "Fixed PHP Object Injection vulnerability in session cookie deserialization") |
2026-05-25 |
| — latest available |
1.11.13 |
2026-05-27 |
Configuration mitigation
These are interim stopgaps to block the known cookie pattern until you can upgrade — not a substitute for the patch. Serialized PHP objects base64-encode to values starting with Tz, Qz, or YT (Sansec's published heuristic). Validate against legitimate traffic before enforcing.
nginx — block CacheWarmer cookies carrying a base64 serialized-object marker:
# In the relevant server { } block
if ($http_cookie ~* "CacheWarmer=(Tz|Qz|YT)") {
return 403;
}
Apache (mod_rewrite) — equivalent block:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} (^|;\s*)CacheWarmer=(Tz|Qz|YT) [NC]
RewriteRule .* - [F,L]
Compensating controls
- Deploy or tune WAF coverage to block serialized-PHP objects in cookies and headers (Sansec ships dedicated Shield coverage; generic WAFs can match the
CacheWarmer=(Tz|Qz|YT) pattern above).
- Scan for planted backdoors — audit web-accessible directories such as
pub/, pub/media/, and media/ for unexpected .php files, and diff core/checkout assets for injected external <script> tags. Magento-specific scanners (e.g. eComscan) help here.
- Rotate Magento admin credentials, payment-gateway API keys, and DB secrets if any exploitation indicator is found — RCE as the web user exposes all of them.
Detection (starter rules — validate before deploying)
These rules are AI-generated starter content. Test against your own telemetry and tune falsepositives before deploying to production.
Network and log signals
- Inbound storefront requests carrying a
CacheWarmer cookie whose value contains raw serialized-PHP markers (O:, a:, C:) or URL-encoded forms (O%3A, a%3A, C%3A).
CacheWarmer cookie values that are base64-encoded serialized PHP objects — base64 of O:/a:/C: begins with Tz, YT, or Qz. A strong gadget-chain indicator.
- A
CacheWarmer cookie on a request from an unauthenticated client reaching storefront endpoints — legitimate use of this cookie should be rare/internal.
- New or recently modified
.php files under pub/, pub/media/, media/, or app/code/ shortly after such requests — possible dropped webshell.
- Checkout JS or templates gaining external
<script src=...> tags pointing at unfamiliar domains — card-skimmer (Magecart) injection.
- Outbound connections from the
php-fpm/web-server process to unfamiliar IPs following such requests — possible reverse shell, payload retrieval, or skimmer exfiltration.
YARA
rule CVE_2026_45247_cachewarmer_object_injection_starter
{
meta:
author = "CVE Brief"
description = "Starter rule: detects serialized-PHP-object markers associated with a CacheWarmer cookie (CVE-2026-45247 Mirasvit Full Page Cache Warmer object injection) in captured HTTP request data or webserver logs, OR generic PHP webshell artifacts as a post-exploitation indicator."
reference = "https://sansec.io/research/mirasvit-cache-warmer-object-injection"
cve = "CVE-2026-45247"
warning = "AI-generated starter rule - validate and tune in your environment before deploying."
date = "2026-06-08"
strings:
// CacheWarmer cookie name as seen in HTTP request data / access logs
$cookie = "CacheWarmer" ascii nocase
// Raw serialized-PHP object/array markers
$ser_obj = "O:" ascii
$ser_arr = "a:" ascii
$ser_cls = "C:" ascii
// URL-encoded serialized markers
$ser_obj_enc = "O%3A" ascii nocase
$ser_arr_enc = "a%3A" ascii nocase
$ser_cls_enc = "C%3A" ascii nocase
// Base64-encoded serialized object prefixes (O:->Tz, a:->YT, C:->Qz)
$b64_obj = "CacheWarmer=Tz" ascii nocase
$b64_arr = "CacheWarmer=YT" ascii nocase
$b64_cls = "CacheWarmer=Qz" ascii nocase
// Generic PHP webshell / post-exploitation strings
$sh1 = "<?php" ascii
$sh2 = "eval(" ascii nocase
$sh3 = "base64_decode(" ascii nocase
$sh4 = "system(" ascii nocase
$sh5 = "shell_exec(" ascii nocase
$sh6 = "passthru(" ascii nocase
$sh7 = "$_POST[" ascii
$sh8 = "$_REQUEST[" ascii
condition:
// Exploitation attempt: CacheWarmer cookie near a serialized-PHP marker (raw or URL-encoded), or base64 object prefix
( $cookie and ( any of ( $ser_obj, $ser_arr, $ser_cls, $ser_obj_enc, $ser_arr_enc, $ser_cls_enc ) ) )
or ( any of ( $b64_obj, $b64_arr, $b64_cls ) )
// Or post-exploitation: PHP webshell artifact
or ( $sh1 and 2 of ( $sh2, $sh3, $sh4, $sh5, $sh6, $sh7, $sh8 ) )
}
Sigma
title: Mirasvit Cache Warmer CacheWarmer Cookie PHP Object Injection (CVE-2026-45247)
id: 6f2a1c4e-8b3d-4e7a-9c1f-2d5b7a0e4c91
status: experimental
description: Detects inbound HTTP requests carrying a CacheWarmer cookie whose value contains serialized-PHP object markers (O:/a:/C:), their URL-encoded forms, or base64-encoded serialized-object prefixes, indicating exploitation attempts against the unauthenticated PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 (CVE-2026-45247).
author: CVE Brief
date: 2026/06/08
references:
- https://sansec.io/research/mirasvit-cache-warmer-object-injection
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- cve.2026.45247
logsource:
category: webserver
detection:
selection_cookie:
c-cookie|contains: 'CacheWarmer'
selection_serialized_markers:
c-cookie|contains:
- 'CacheWarmer=O:'
- 'CacheWarmer=a:'
- 'CacheWarmer=C:'
- 'CacheWarmer=O%3A'
- 'CacheWarmer=a%3A'
- 'CacheWarmer=C%3A'
- 'CacheWarmer=Tz'
- 'CacheWarmer=YT'
- 'CacheWarmer=Qz'
condition: selection_cookie and selection_serialized_markers
falsepositives:
- Legitimate Mirasvit cache-warming traffic that sets a benign CacheWarmer cookie value
- Authorized vulnerability scanners, ASM tools, or penetration tests probing the endpoint
- Security research and detection-validation traffic
- Field name mismatch - tune c-cookie to your access-log cookie field (e.g. Cookie header capture)
level: high
Rule notes
The rules key on the CacheWarmer cookie co-occurring with serialized-PHP markers (raw O:/a:/C:, URL-encoded O%3A/a%3A/C%3A, or base64 prefixes Tz/YT/Qz), plus a generic PHP-webshell fallback in YARA for post-exploitation; the base64 prefixes and cookie-name anchoring are grounded in Sansec's public write-up. Limitations: many webservers do not log full Cookie headers by default (tune the c-cookie field or enable cookie logging), the broad O:/a: ASCII strings in YARA can match benign content so the cookie anchor is required, and base64 payloads using non-default encodings or split cookies may evade — validate against your own log format before deploying.
References