CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

A critical security vulnerability has been discovered in a widely used Magento caching plugin that allows attackers to remotely execute malicious code with no login, configuration changes, or admin access required. Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and […] The post Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks appeared first on

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks By Abinaya June 1, 2026 A critical security vulnerability has been discovered in a widely used Magento caching plugin that allows attackers to remotely execute malicious code with no login, configuration changes, or admin access required. Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and Adobe Commerce storefronts. The vulnerability, tracked as CVE-2026-45247, carries a maximum-severity CVSS score of 9.8 (Critical). Magento Cache Plugin Vulnerability Mirasvit Cache Warmer is designed to preload cached versions of store pages for different visitor types, varying by currency, customer group, and other session states. To do this, it packs session details into a cookie and sends them with each crawl request. On the server side, a plugin reads that cookie and adjusts the session accordingly before rendering the page. The critical problem: the plugin passes part of that cookie value directly to PHP’s native unserialize() function, with no class restrictions and no authentication checks. Because the cookie value is entirely client-side, an attacker can craft it to inject arbitrary PHP objects. This is known as PHP Object Injection (CWE-502). When combined with a gadget chain, malicious logic built from classes already bundled within Magento and its dependencies, this object injection escalates directly into Remote Code Execution (RCE). The attack fires on every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target. All versions of Mirasvit Cache Warmer before 1.11.12 are vulnerable. The extension ships bundled inside several other Mirasvit packages, meaning many merchants may be running it without realizing it. Sansec’s scanning found approximately 6,000 stores running Mirasvit extensions, with the actual number likely far higher, as CDNs like Cloudflare mask many installations from external fingerprinting. The exploit leaves a recognizable trail in web logs. Security teams should watch for storefront requests carrying a CacheWarmer cookie whose value begins with CacheWarmer: followed by a base64 string. Serialized PHP objects typically base64-encode to strings starting with Tz, Qz, or YT — making the pattern CacheWarmer:(Tz|Qz|YT) a strong indicator of an active exploitation attempt. Mitigations Mirasvit released the patched version 1.11.12 on May 25, 2026, within days of being notified. Store owners should act immediately: Update now:  Upgrade Mirasvit Cache Warmer to version 1.11.12 or later. Block attacks: Deploy a web application firewall capable of blocking serialization-based exploit attempts. Scan for compromise: Check for webshells, backdoors, or unexpected PHP files in pub/ and other web-accessible directories. Audit installed packages: Confirm whether Cache Warmer is bundled inside other Mirasvit modules on your store. Sansec’s Shield customers were already protected from April 24, 2026, the same day the flaw was discovered. The CVE was formally assigned on May 26, 2026. Given that exploitation requires zero authentication and can be fully automated, unpatched stores remain at serious risk of full server compromise. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens BIND 9 Software Vulnerabilities Exposes Resolvers and Authoritative Servers to Remote Exploits Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Latest News Cyber Security News Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices Cyber Security Microsoft Office for the Web and Teams Hit by File Access Outage Cyber Security News Attackers Abuse Docker and Kubernetes Misconfigurations to Compromise Host Systems Cyber Security News SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware Cyber Attack News Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗