Technical description
The Mirasvit Full Page Cache Warmer extension for Magento 2 / Adobe Commerce (all versions prior to 1.11.12) deserializes attacker-controlled PHP objects supplied in the CacheWarmer cookie on ordinary storefront HTTP requests. When exploitable gadget chains are present (typical in Magento environments), this allows unauthenticated remote code execution. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on 3 June 2026 after evidence of active in-the-wild exploitation, assigning a federal remediation deadline of 6 June 2026. Sansec estimates approximately 6,000 Magento stores are exposed.
Attack vector
Unauthenticated HTTP GET request to any public storefront page with a crafted CacheWarmer cookie containing a malicious serialised PHP object. No credentials, user interaction, or admin access required.
Affected systems
Mirasvit Full Page Cache Warmer for Magento 2 / Adobe Commerce, all versions prior to 1.11.12. Affects any internet-facing Magento 2 storefront with the extension installed.
Mitigation
Upgrade Mirasvit Full Page Cache Warmer to version 1.11.12 or later (patch released 25 May 2026). If upgrade is not immediately possible, temporarily disable or remove the extension, restrict storefront access via WAF rules targeting the CacheWarmer cookie, and monitor web application logs for unusual cookie values or unexpected server-side process spawning. Federal agencies must comply by 6 June 2026 per BOD 22-01.