Mirasvit Magento Full Page Cache Warmer PHP Object Injection Under Active Exploitation (CVE-2026-45247)

Scope: Mirasvit Full Page Cache Warmer for Magento 2 / Adobe Commerce (Versions Prior to 1.11.12)

Severity: Red

A critical PHP object injection vulnerability (CVSS 9.8) in Mirasvit's Full Page Cache Warmer extension passes a portion of the attacker-controlled CacheWarmer cookie directly to PHP's native unserialize() function without any validation, allowing unauthenticated attackers to trigger RCE via gadget chains in Magento's Zend and Symfony dependencies by sending a single crafted HTTP GET request to any storefront page. Imperva has confirmed active exploitation attempts carrying base64-encoded serialized PHP objects targeting Monolog-based gadget chains to execute arbitrary system commands, with CISA adding the vulnerability to its KEV catalog on June 3, 2026, and mandating federal agency remediation by June 6. Organizations must update to Mirasvit Cache Warmer 1.11.12 or later immediately via composer update mirasvit/module-cache-warmer followed by a Magento cache flush; where patching is not immediately possible, deploy WAF rules to block CacheWarmer cookies containing the serialization prefixes Tz:, Qz:, or YT, and scan for web shells or unauthorized PHP files indicating prior compromise.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.