Unauthenticated Code Execution via PHP Object Injection
A critical vulnerability has been discovered in Mirasvit Cache Warmer, a popular caching plugin for Magento and Adobe Commerce storefronts. Security researchers at Sansec found that the plugin passes untrusted user input from a cookie directly to PHP’s unserialize() function without any authentication or class restrictions. This allows an attacker to inject arbitrary PHP objects into the server, effectively bypassing all access controls.
Because the cookie value is controlled entirely by the client, an attacker can craft it to include malicious serialized objects. When combined with existing code libraries bundled in Magento, known as gadget chains, this object injection escalates into full remote code execution. The attack can be triggered on any public facing storefront request, not only cache warming traffic, making every exposed installation a potential entry point.
Impact and Scope
All versions of Mirasvit Cache Warmer before 1.11.12 are affected. The plugin is often shipped as a bundled component within other Mirasvit extension packages, meaning many merchants may not even realize they have it installed. Sansec’s scans identified roughly 6,000 stores running Mirasvit extensions, though the true number is likely higher because content delivery networks such as Cloudflare obscure many installations from external detection.
The exploit leaves a distinct signature in web server logs. Security teams should monitor for storefront requests containing a CacheWarmer cookie where the value starts with ‘CacheWarmer:’ followed by a base64 encoded string. Serialized PHP objects typically base64 encode to strings beginning with common prefixes like ‘Tz’, ‘Qz’, or ‘YT’, creating a detectable pattern. Merchants using Mirasvit Cache Warmer should update to version 1.11.12 or later immediately.
Source: Cyber Security News
