🔴 Critical · CWE-502 · Patch now

Mirasvit Cache Warmer RCE: patch your Magento store today

A single crafted cookie can run arbitrary code on your server. If you use any Mirasvit extension, you may be exposed — even if you never installed Cache Warmer directly. I audit, upgrade and verify your store the same day.

💬 WhatsApp me now Get patched today →

Source: Sansec research, May 2026 — Mirasvit Cache Warmer object injection. Patched in version 1.11.12.

CriticalSeverity (object injection → RCE)

UnauthenticatedNo admin login needed

~6,000Stores detected at risk

1 cookieIs enough to exploit

What is the vulnerability?

Mirasvit Cache Warmer — a popular full-page-cache warmer for Magento 2 and Adobe Commerce — processes a CacheWarmer cookie with PHP’s native unserialize() without restricting which classes may be instantiated. Because the cookie comes from the client, an attacker controls object instantiation. Combined with known Magento gadget chains, that escalates to remote code execution.

Bottom line: a single crafted cookie on ordinary storefront traffic — no admin session, no login — can run any code on your server. It is a PHP object injection flaw (CWE-502).

Mirasvit responded quickly and shipped a fix in Cache Warmer 1.11.12 (released 25 May 2026). A CVE has been requested but is not yet assigned. Updating is urgent.

You might be running it without knowing

Cache Warmer ships bundled inside several Mirasvit packages. So even if you never installed “Cache Warmer” on purpose, another Mirasvit extension may have pulled it in — which is exactly why ~6,000 stores are exposed.

How to tell if you’re affected

You run any Mirasvit extension and your Cache Warmer version is below 1.11.12.
Your access logs show storefront requests carrying a CacheWarmer cookie whose value contains the marker CacheWarmer: followed by a base64 string matching (Tz|Qz|YT) — a sign of attempted exploitation.
Not sure what you have installed? That uncertainty is the risk — I’ll check your composer.lock and module list in minutes.

How I fix it — fast, today

Audit your stack

I check your installed Mirasvit packages and composer.lock for Cache Warmer — including bundled copies you didn’t install directly.

Upgrade to 1.11.12+

Patch Cache Warmer to the fixed release with a tested, zero-downtime deploy (maintenance window, compile, static deploy, cache flush).

Scan for exploitation

Grep access logs and the database for the exploit cookie marker and other indicators of compromise — to confirm whether anyone already tried.

Clean up if needed

If there are signs of compromise, I remove backdoors and harden the store — see my Magento malware removal service.

Verify & harden

Confirm the patch is live, re-test, and tighten the store with a full security audit so the next disclosure doesn’t catch you out.

Get patched today

Emergency Patch

$149

~6h @ $25/hr · same-day

Audit Mirasvit packages & version
Upgrade Cache Warmer to 1.11.12+
Zero-downtime deploy + cache flush
Quick log scan for the exploit cookie
Confirmation the fix is live

Book the patch →

Patch + Compromise Scan

$399

~16h @ $25/hr

Everything in Emergency Patch
Deep indicators-of-compromise scan
Backdoor / webshell check & removal
Security patch (APSB) gap review
Hardening recommendations report

Book scan + patch →

Both are fixed-fee and show hours at my standard $25/hr rate. Larger or multi-store estates: I’ll quote a sprint.

Frequently asked questions

What is the Mirasvit Cache Warmer vulnerability?

A critical PHP object injection bug (CWE-502). The extension feeds a client-supplied CacheWarmer cookie to unserialize() without restricting allowed classes, so an attacker can instantiate objects and — with Magento gadget chains — achieve unauthenticated remote code execution. It is fixed in Cache Warmer 1.11.12.

I never installed Cache Warmer — am I still affected?

Possibly yes. Cache Warmer is bundled inside several Mirasvit packages, so another Mirasvit extension may have installed it for you. If you run any Mirasvit extension, you should check your Cache Warmer version and update if it is below 1.11.12.

Is updating to 1.11.12 enough?

Updating closes the hole, so it is the essential first step. But if the flaw was already exploited before you patched, a backdoor may persist. That is why I also scan logs and files for indicators of compromise and clean up anything I find.

How do I know if I was already hacked?

Look for storefront requests with a CacheWarmer cookie whose value contains CacheWarmer: plus a base64 marker matching (Tz|Qz|YT), plus the usual signs — unexpected admin users, modified core files, or new PHP files in writable paths. My Patch + Compromise Scan tier covers this end to end.

How fast can you patch my store?

Usually the same day. The Emergency Patch is a focused ~6-hour job: audit, upgrade to 1.11.12, deploy with zero downtime, and confirm the fix is live. Message me on WhatsApp and I’ll start as soon as I have access.

What does it cost?

$149 for the Emergency Patch (~6h @ $25/hr) or $399 for Patch + Compromise Scan (~16h @ $25/hr). Multi-store or Adobe Commerce Cloud estates are quoted as a short sprint.