Posted in

Critical Magento Cache Plugin Flaw Allows Remote Code Execution

by Rakesh0

A newly disclosed Magento cache plugin vulnerability is putting thousands of ecommerce stores at immediate risk of compromise. The flaw, tracked as CVE-2026-45247, enables attackers to execute arbitrary code on affected systems without authentication, admin access, or any prior foothold.

Discovered by security researchers at Sansec, the vulnerability affects the widely used Mirasvit Cache Warmer plugin—an extension designed to optimize Magento and Adobe Commerce storefront performance. With a CVSS score of 9.8, the issue is being treated as critical due to its ease of exploitation and severe impact.

Key Details

The vulnerability exists in Mirasvit Cache Warmer, a plugin used to preload cached versions of store pages across different session scenarios, such as:

  • Currency settings
  • Customer groups
  • Personalized session states

To enable this functionality, the plugin embeds session-related data inside a browser cookie. Each incoming request carries this cookie, which is processed server-side to reconstruct session context.

However, researchers found that the plugin passes part of this cookie directly into PHP’s unserialize() function—without proper validation or restrictions.

This design flaw allows attackers to craft malicious cookie values and trigger unintended behavior on the server.

Key facts include:

  • Affects all versions before 1.11.12
  • Plugin is often bundled with other Mirasvit extensions
  • Approximately 6,000 exposed stores identified, with actual numbers likely higher
  • Exploitable via public storefront requests, not limited to internal functionality

Technical Analysis

The root cause is a classic PHP Object Injection vulnerability (CWE-502)—a well-known but still dangerous class of application-layer flaws.

Here’s how the attack unfolds:

  1. The attacker crafts a malicious cookie value containing serialized PHP objects.
  2. The request is sent to the Magento storefront.
  3. The vulnerable plugin processes the cookie using unserialize() without restrictions.
  4. The injected object triggers a gadget chain—a sequence of existing PHP classes that execute unintended logic.
  5. This leads to remote code execution (RCE) on the server.

Because Magento and its dependencies include numerous reusable classes, attackers can chain them together to execute system commands.

The vulnerability is particularly dangerous because:

  • It requires no authentication
  • It executes on every incoming request path
  • It bypasses most traditional access controls

Additionally, exploitation attempts leave identifiable patterns in logs. Requests often contain a cookie named:

CacheWarmer:<base64_payload>

Base64-encoded serialized objects typically start with:

  • Tz
  • Qz
  • YT

This makes the pattern CacheWarmer:(Tz|Qz|YT) a reliable indicator of attack activity.

Impact and Risks

The implications of CVE-2026-45247 are severe, particularly for online businesses relying on Magento:

  • Full server compromise, including web server takeover
  • Injection of webshells or backdoors
  • Theft of customer data, payment details, and session tokens
  • Unauthorized modification of storefront content
  • Potential ransomware deployment or supply chain compromise

Because ecommerce platforms handle sensitive financial and personal data, successful exploitation could lead to:

  • Regulatory penalties (GDPR, PCI DSS violations)
  • Brand reputation damage
  • Direct financial loss

The fact that the plugin runs on public-facing endpoints significantly increases the attack surface.

Expert Recommendations

Organizations running Magento or Adobe Commerce should act immediately:

1. Patch Immediately

  • Upgrade to Mirasvit Cache Warmer 1.11.12 or later
  • Ensure all bundled Mirasvit modules are updated

2. Deploy WAF Protection

  • Configure rules to block:
    • Serialized object payloads
    • Malicious cookie patterns
  • Use advanced WAFs capable of detecting PHP object injection attempts

3. Monitor Logs Closely

  • Look for suspicious cookies matching:
    • CacheWarmer:(Tz|Qz|YT)
  • Investigate unusual request patterns or repeated probing

4. Scan for Indicators of Compromise

  • Check for:
    • Webshells in /pub/ directories
    • Unauthorized PHP files
    • Suspicious cron jobs or processes

5. Audit Installed Extensions

  • Identify whether Cache Warmer is indirectly installed via bundled packages
  • Remove unused or outdated plugins

6. Strengthen Application Security

  • Disable unsafe PHP functions where possible
  • Implement strict input validation and serialization handling
  • Integrate monitoring into SIEM platforms

Industry Context

CVE-2026-45247 highlights a persistent issue in modern web applications: insecure deserialization vulnerabilities.

Despite being widely understood, PHP object injection flaws continue to appear in production systems—often due to legacy coding patterns or performance-centric shortcuts.

Ecommerce platforms are particularly attractive targets because they:

  • Process financial transactions
  • Store valuable customer data
  • Operate continuously on public-facing infrastructure

The flaw also underscores a broader trend: attackers are increasingly targeting third-party extensions and plugins, which often receive less scrutiny than core platform code.

Recent incidents involving Magento and Adobe Commerce ecosystems show that supply chain risks within plugin ecosystems remain one of the most overlooked attack vectors.

Conclusion

The Magento cache plugin vulnerability CVE-2026-45247 is a critical threat that demands immediate action. With unauthenticated remote code execution capabilities and widespread exposure, unpatched systems are highly susceptible to compromise.

For security teams, this is a clear reminder that application-layer vulnerabilities—especially in third-party plugins—must be monitored as closely as core infrastructure.

FAQ SECTION

What is CVE-2026-45247?

It is a critical vulnerability in the Mirasvit Cache Warmer plugin that allows remote code execution via PHP object injection.

Which Magento versions are affected?

All Magento and Adobe Commerce installations using Mirasvit Cache Warmer versions prior to 1.11.12 are vulnerable.

How does the attack work?

Attackers inject malicious serialized PHP objects through cookies, which are processed by the server and lead to code execution.

Is authentication required to exploit this vulnerability?

No, the attack is fully unauthenticated and can be executed remotely on public storefronts.

How can I detect exploitation attempts?

Look for suspicious cookies starting with CacheWarmer: followed by base64 strings beginning with Tz, Qz, or YT.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *