Imperva warns of a critical unauthenticated remote code execution vulnerability (CVE-2026-45247) in Mirasvit Full Page Cache Warmer for Magento 2, enabled by unsafe PHP deserialization through a CacheWarmer cookie, allowing arbitrary commands on exposed servers without any authentication.

Sansec researchers disclosed the flaw on May 26, 2026, assigning a CVSS score of 9.8, noting that exploitation requires no authentication and uses PHP Object Injection gadget chains to achieve full RCE.

Attack activity has targeted Gaming and Business sites across regions, with the United States, United Kingdom, France, and Australia being the most affected so far.

Active exploitation observations show attackers using base64-encoded serialized PHP objects, with payloads referencing Monolog classes to trigger deserialization and commands like system() and date operations.

Imperva emphasizes that customers protected by Imperva Cloud WAF and WAF Gateway can detect and block deserialization attempts and RCE patterns before they reach vulnerable applications.

Mitigation steps include upgrading to version 1.11.12 or later, auditing installed Mirasvit modules for vulnerable versions, checking logs for CacheWarmer cookie values and serialized objects, and leveraging WAF protections to block malicious payloads.

Mirasvit released the patch in version 1.11.12 on May 25, 2026; users should update immediately and verify all installations since Cache Warmer may be bundled with other Mirasvit packages.

Bottom line: the risk of unauthenticated RCE via a crafted cookie is high, requiring immediate patching and ongoing monitoring for indicators of compromise.