Critical vulnerability in Mirasvit Cache Warmer for Magento

Sansec discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted CacheWarmer cookie reaches PHP's native unserialize() on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this leads to remote code execution.

Mirasvit released a patched version (1.11.12) on May 25, 2026 and is asking all customers to update. Sansec has requested a CVE for this issue.

Sansec Shield customers were protected on April 24, 2026, the day we found the flaw.

How the attack works

Mirasvit Cache Warmer pre-populates Magento's full-page cache for every "vary" state of a page (currency, customer group, and so on). To render a page as a specific visitor, the warmer packs the target session state into a cookie and sends it with each crawl request. On the server, a plugin reads that cookie and switches currency and customer session to match before rendering.

The plugin runs on every storefront request, not just on warmer traffic.

The extension deserializes part of the cookie value with PHP's native unserialize(), without restricting which classes may be instantiated. Because that value comes straight from the client, an attacker controls the objects PHP reconstructs. This is PHP object injection (CWE-502). Combined with a gadget chain from classes that Magento and its dependencies already ship, object injection escalates to remote code execution.

Who is affected

All Mirasvit Cache Warmer versions before 1.11.12 are vulnerable. The extension is bundled with several Mirasvit packages, so many merchants run it without having installed it directly.

Sansec scans found roughly 6,000 stores running Mirasvit extensions. Real numbers are likely higher, since content delivery networks such as Cloudflare hide many installs from our fingerprinting.

Detection

The attack leaves a clear request signature. Look for storefront requests that carry a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string. Serialized PHP objects base64-encode to values starting with Tz, Qz or YT, so a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.

Recommendations

1. Update now: Upgrade Mirasvit Cache Warmer to 1.11.12 or later. See the Mirasvit changelog.
2. Block attacks: Deploy Sansec Shield to block exploitation attempts in real time, including on stores that cannot patch immediately.
3. Scan for compromise: Run eComscan to detect webshells, backdoors and other malware that an attacker may have planted.
4. Check web-accessible directories: Review pub/ and other web-reachable folders for unexpected PHP files.

Timeline

Mirasvit responded fast, shipping a fix within days of our report. Merchants should update without delay: the flaw needs no authentication, fires on ordinary storefront traffic, and the request signature is trivial for attackers to automate once the patch reveals the fix.

Read more

• Adobe patches critical Magento admin takeover via menu injection
• Magento Security Release APSB25-08 [Impact Analysis]
• CosmicSting attack & defense overview
• Persistent backdoors injected on Adobe Commerce via new CosmicSting attack
• CosmicSting attack threatens 75% of Adobe Commerce stores