Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability (CVE-2026-45247) present in the popular 'Mirasvit Full Page Cache Warmer' plugin for Magento 2 to its 'Known Exploited Vulnerabilities (KEV) Catalog,' strongly recommending immediate remediation. This vulnerability is a PHP object injection flaw, allowing unauthenticated attackers to remotely execute arbitrary code, potentially leading to a complete compromise of the website.
Vulnerability Overview and Scope of Impact
CVE-2026-45247 is a critical PHP object injection vulnerability affecting versions of Mirasvit Full Page Cache Warmer for Magento 2 prior to 1.11.12. This issue stems from the insecure processing of specially crafted serialized PHP objects via the `CacheWarmer` cookie by PHP's `unserialize()` function.
Attackers can exploit gadget chains present in Magento and its dependencies to achieve Remote Code Execution (RCE), potentially leading to full control over the affected server. CISA has confirmed that this vulnerability is being actively exploited and mandates federal agencies to remediate it by June 5, 2026.
Specific Impacts and Attack Scenarios
By exploiting this vulnerability, unauthenticated attackers can inject specially crafted PHP objects into the CacheWarmer cookie and execute arbitrary PHP code on the server. This could lead to devastating consequences such as website defacement, sensitive data theft, backdoor installation, and even complete server compromise. For Magento sites operating online stores, customer data breaches and business disruption would have severe impacts.
Immediate Actions for Engineers
The most crucial step is to immediately update the Mirasvit Full Page Cache Warmer plugin to version 1.11.12 or later. If an update is not immediately feasible, consider applying the temporary mitigation measures described below. This is an example of an Nginx configuration to block malicious HTTP requests.
map $http_cookie $block_cachewarmer_cookie {
"~*CacheWarmer=.*O:[0-9]+:.*" 1;
default 0;
}
server {
# ... その他の設定 ...
if ($block_cachewarmer_cookie = 1) {
return 403;
}
# ... その他の設定 ...
}This Nginx configuration detects requests containing serialized PHP objects (matching the `O:[0-9]+:` pattern) within the `CacheWarmer` cookie and blocks them by returning a 403 Forbidden error. This is only a temporary mitigation, and applying the vendor-provided patch promptly is the permanent solution.
📦