CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →
Versions below 1.11.12 pass the attacker-controlled CacheWarmer cookie to PHP's native unserialize() without restricting instantiable classes, letting an unauthenticated attacker trigger gadget chains in Magento's Laminas/Zend dependency tree for remote code execution from any storefront page — "no authentication, no admin session and no config toggle required" (Sansec, 2026-05-26). Sansec discovered the flaw and shipped a detection rule on 24 April under coordinated disclosure (patch 25 May); Imperva has since observed active exploitation campaigns delivering base64-encoded serialized objects (Imperva, 2026-05-29). CISA added it to KEV on 2026-06-03. Successful exploitation yields web-root access for webshell persistence (T1505.003) and .env / config/env.php credential theft. Fix: upgrade to ≥1.11.12; interim, block or sanitise the CacheWarmer cookie at the WAF/reverse proxy.