ctipilot.ch

Mirasvit Full Page Cache Warmer (Magento 2) unauthenticated PHP object-injection RCE via CacheWarmer cookie; CISA KEV 2026-06-03, ITW from 2026-04-24; fix v1.11.12

cve · CVE-2026-45247

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
1
pinned v19.1 · see below

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-06-04/cve-2026-45247-mirasvit-full-page-cache-warmer-magento-2-ado · ATT&CK page ↗

Story timeline

  1. 2026-06-04CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • imperva.com1 (50%)
  • sansec.io1 (50%)

explore in graph

Entries about Mirasvit Full Page Cache Warmer (Magento 2) unauthenticated PHP object-injection RCE via CacheWarmer cookie; CISA KEV 2026-06-03, ITW from 2026-04-24; fix v1.11.12 (1)

2026-06-04 · view entry permalink →

HIGHCVE-2026-45247exploited

CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV

Versions below 1.11.12 pass the attacker-controlled CacheWarmer cookie to PHP's native unserialize() without restricting instantiable classes, letting an unauthenticated attacker trigger gadget chains in Magento's Laminas/Zend dependency tree for remote code execution from any storefront page — "no authentication, no admin session and no config toggle required" (Sansec, 2026-05-26). Sansec discovered the flaw and shipped a detection rule on 24 April under coordinated disclosure (patch 25 May); Imperva has since observed active exploitation campaigns delivering base64-encoded serialized objects (Imperva, 2026-05-29). CISA added it to KEV on 2026-06-03. Successful exploitation yields web-root access for webshell persistence (T1505.003) and .env / config/env.php credential theft. Fix: upgrade to ≥1.11.12; interim, block or sanitise the CacheWarmer cookie at the WAF/reverse proxy.

no authentication, no admin session and no config toggle required

Sansec
vulnerability04 Jun 05:00Zmulti-sourceOpen finding ↗
Sources: Sansec · Imperva