🚨 CRITICAL ALERT: Active Zero-Day Exploits

CVE-2026-45247 is a critical unauthenticated remote code execution vulnerability in Mirasvit Full Page Cache Warmer for Magento 2, with a CVSS 9.8 score and CISA KEV listing indicating active exploitation in the wild.[2][3][1] Attackers can send a crafted serialized PHP object through the CacheWarmer cookie to trigger PHP object injection and execute arbitrary code on affected Magento and Adobe Commerce servers.[2][3][8]

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2026-45247 (CVSS: 9.8): Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection flaw caused by an unrestricted call to PHP’s native unserialize() function. An unauthenticated attacker can supply a crafted serialized PHP object in the CacheWarmer cookie and leverage gadget chains in Magento and its dependencies to achieve remote code execution. This vulnerability is listed in CISA KEV and should be treated as actively exploited.View NVD | CISA KEV

⚡ Immediate Actions Required

Patch immediately by upgrading Mirasvit Full Page Cache Warmer to version 1.11.12 or later, and verify whether the extension is present through bundled Mirasvit packages as well as direct installs.[2][3][8] Until remediation is complete, inspect web logs for suspicious CacheWarmer cookie values, isolate exposed storefront systems, and assume compromise if unknown serialized payloads or unexpected command execution are detected.[2][6][8] Because this issue is unauthenticated and already in CISA KEV, prioritize emergency remediation on any internet-facing Magento or Adobe Commerce environment immediately.[1][2][3]