[CDP-development] TLP:GREEN (Vulnerability Alert Notification) : CVE-2026-45247: Unauthenticated Remote Code Execution via PHP Object Injection

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Wed Jun 3 11:55:00 PDT 2026 

Good morning,

The State of Oregon SOC Services Team is reporting on the vulnerability CVE-2026-45247 affecting Mirasvit Full Page Cache Warmer for Magento 2 endpoint management server configuration and agent updates. Due to its high visibility, we are providing this in-depth information:

History: On May 26, 2026, the vulnerability was publicly disclosed by researchers at Sansec. The CVSS v3.x base score is 9.8 (CRITICAL) as assigned by VulnCheck.
Affected Versions

  *   All versions prior to 1.11.12.

Fixed Versions

  *   1.11.12.

Vendor Advisory: Mirasvit Cache Warmer Changelog<https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer>

Intelligence: On June 3, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Publicly available exploits circulating
Zero Day: No

Workarounds: Remove or disable the 'Mirasvit_CacheWarmer' module if not strictly necessary; Implement Web Application Firewall (WAF) rules to block or inspect HTTP requests containing base64-encoded serialized objects in the 'CacheWarmer' cookie.
How it Works: The vulnerability is an Insecure Deserialization flaw (CWE-502). An attacker crafts a malicious PHP serialized object, base64-encodes it, and sets it as the 'CacheWarmer' cookie in a standard HTTP request to the Magento storefront. When the server processes this cookie, the application calls unserialize() on the untrusted input. By using existing 'gadget chains'-classes already present in Magento's codebase that perform dangerous operations upon destruction or wakeup-the attacker can chain these operations to execute arbitrary system commands.
Post-Exploit Impact:

  *   Full server compromise and arbitrary command execution (CWE-502: Deserialization of Untrusted Data).

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
HTTP Cookie
CacheWarmer
Suspicious, base64-encoded serialized PHP object strings observed in this cookie field.
Imperva Research
Tenable Plugins:

As of June 3, 2026, Tenable has not announced any plugins for this vulnerability.

Recommended Actions:

Date Added to KEV Catalog: June 3, 2026
Due Date for Remediation: June 6, 2026

  *   Immediate update of Mirasvit Full Page Cache Warmer to version 1.11.12.
  *   Hunt for IoCs (suspicious CacheWarmer cookie patterns) in historical access logs.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260603/f66d9806/attachment-0001.html>

More information about the CDP-development mailing list