CISA Adds Critical Mirasvit Flaw To KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Mirasvit’s Full Page Cache Warmer extension for Magento to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, identified as CVE-2024-34102, allows unauthenticated attackers to execute arbitrary code remotely, posing severe risks to e-commerce platforms. Federal agencies must patch affected systems by the mandated deadline, while private sector organizations are strongly urged to prioritize remediation efforts immediately.

Introduction

E-commerce platforms face constant pressure from threat actors seeking to compromise customer data, payment information, and business operations. The latest addition to CISA’s KEV catalog highlights a particularly dangerous vulnerability affecting Magento installations using Mirasvit’s Full Page Cache Warmer extension. This critical flaw has been observed under active exploitation in the wild, prompting federal cybersecurity authorities to mandate immediate action for government agencies while sounding the alarm for private sector retailers.

The inclusion of this vulnerability in the KEV catalog signals confirmed exploitation attempts and underscores the urgency with which organizations must respond. With e-commerce platforms processing sensitive financial transactions and storing vast amounts of customer data, the stakes couldn’t be higher for businesses running affected versions of this popular Magento extension.

Background & Context

Mirasvit’s Full Page Cache Warmer is a widely deployed performance optimization extension for Magento and Adobe Commerce platforms. The tool automatically warms up page caches to improve website loading speeds and enhance customer experience—critical factors for online retail success. However, the convenience and performance benefits of such extensions can become significant liabilities when security vulnerabilities emerge.

CVE-2024-34102 was initially disclosed in mid-2024, receiving a CVSS score of 9.8 (Critical) due to its potential for unauthenticated remote code execution. The vulnerability affects multiple versions of the Mirasvit Full Page Cache Warmer extension, making it a widespread concern across the Magento ecosystem. Security researchers identified the flaw during routine security assessments, but evidence now confirms that threat actors have begun weaponizing this vulnerability for real-world attacks.

CISA’s KEV catalog serves as an authoritative list of vulnerabilities actively exploited by adversaries. Inclusion in this catalog triggers mandatory remediation timelines for federal civilian executive branch agencies under Binding Operational Directive 22-01, while serving as a critical warning signal for the broader cybersecurity community.

Technical Breakdown

The vulnerability in Mirasvit’s Full Page Cache Warmer stems from improper input validation within the extension’s cache warming functionality. Specifically, the flaw exists in how the extension processes user-supplied data when triggering cache regeneration requests.

The attack vector exploits insufficient sanitization of parameters passed to the cache warming mechanism. An unauthenticated attacker can craft malicious HTTP requests containing specially formatted payloads that bypass input validation controls. These payloads leverage PHP object injection techniques to execute arbitrary code within the context of the web application.

The exploitation process typically follows this pattern:

POST /mirasvit_cache/warmer/index HTTP/1.1
Host: vulnerable-store.com
Content-Type: application/x-www-form-urlencoded

warmer_data=O:8:"stdClass":1:{s:4:"file";s:50:"/path/to/malicious/payload.php";}

The deserialization of untrusted data allows attackers to instantiate arbitrary PHP objects, which can then be chained together to achieve remote code execution. This technique, commonly known as a PHP deserialization attack, has become increasingly popular among threat actors targeting content management systems and e-commerce platforms.

Once code execution is achieved, attackers gain the ability to:

• Install web shells for persistent access
• Exfiltrate customer and payment card data
• Inject malicious JavaScript for credit card skimming (Magecart attacks)
• Pivot to backend systems and databases
• Deploy ransomware or cryptominers

The vulnerability requires no authentication and can be exploited remotely over the network, making it an attractive target for both opportunistic attackers and sophisticated threat groups.

Impact & Risk Assessment

The impact of CVE-2024-34102 exploitation extends far beyond simple website compromise. E-commerce platforms serve as treasure troves of sensitive information, including:

• Customer personally identifiable information (PII)
• Payment card data and transaction histories
• Authentication credentials and session tokens
• Business intelligence and proprietary data
• Supply chain and vendor information

For organizations running vulnerable Mirasvit installations, the risk profile is severe. Successful exploitation could result in:

Financial Impact: Breach-related costs including forensic investigation, legal fees, regulatory fines, customer notification expenses, and potential PCI DSS compliance violations averaging $4.45 million per incident according to recent industry reports.

Operational Disruption: Compromised e-commerce platforms may require complete shutdown during incident response, directly impacting revenue streams during critical business periods.

Reputational Damage: Customer trust erosion following data breaches can permanently damage brand reputation and customer lifetime value.

Regulatory Consequences: GDPR, CCPA, and PCI DSS violations carry substantial penalties and ongoing compliance monitoring requirements.

The active exploitation status confirmed by CISA’s KEV inclusion means these risks are not theoretical—they represent clear and present dangers to unpatched systems.

Vendor Response

Mirasvit released security patches addressing CVE-2024-34102 promptly following responsible disclosure. The vendor published updated versions of the Full Page Cache Warmer extension that implement proper input validation and sanitization controls to prevent deserialization attacks.

Patched versions include:

• Version 1.3.28 and later for Magento 2.x installations
• Version 1.2.15 and later for legacy Magento 1.x systems (extended support)

Mirasvit has published security advisories through their official channels, including detailed upgrade instructions and compatibility notes. The vendor’s response demonstrates appropriate urgency and transparency, providing clear remediation pathways for affected customers.

Adobe Commerce, as the parent platform, has also issued security bulletins recommending immediate updates for all users of the affected extension and reinforcing general security best practices for third-party extension management.

Mitigations & Workarounds

Organizations unable to immediately apply patches should implement the following temporary mitigations:

Immediate Actions:

• Disable the Mirasvit Full Page Cache Warmer extension until patches can be applied
• Review web application firewall (WAF) rules to block suspicious POST requests to cache warming endpoints
• Monitor for indicators of compromise across web servers and databases

WAF Rule Example:

SecRule REQUEST_URI "@contains /mirasvit_cache/warmer/" \
    "id:1001,phase:2,deny,status:403,\
    msg:'Mirasvit Cache Warmer Access Blocked'"

Network Segmentation:
Isolate e-commerce platforms from critical backend systems to limit lateral movement opportunities should exploitation occur.

Access Controls:
Implement IP allowlisting for administrative interfaces and restrict cache warming functionality to trusted internal networks where feasible.

Detection & Monitoring

Security teams should implement comprehensive monitoring strategies to detect exploitation attempts and successful compromises:

Log Analysis Indicators:

• Unusual POST requests to /mirasvit_cache/ endpoints
• Requests containing serialized PHP objects in parameters
• Unexpected process spawning from web server processes
• Outbound connections to unknown external IP addresses

File Integrity Monitoring:

# Check for unexpected PHP files in web directories
find /var/www/html -name "*.php" -mtime -7 -ls


# Monitor for suspicious file modifications
aide --check

Network Traffic Analysis:
Deploy intrusion detection signatures targeting known exploitation patterns and post-exploitation command-and-control communication attempts.

Database Query Monitoring:
Watch for unusual database queries indicative of data exfiltration, particularly bulk SELECT operations against customer and payment tables.

Best Practices

Organizations running Magento and similar e-commerce platforms should adopt these security practices:

Vulnerability Management:

• Maintain comprehensive asset inventories including all installed extensions
• Subscribe to security advisories from vendors and CISA
• Establish SLAs for critical security patch application (24-48 hours maximum)

Extension Security:

• Conduct security assessments before deploying third-party extensions
• Limit extension installations to essential functionality only
• Regularly audit and remove unused or outdated extensions

Defense in Depth:

• Deploy WAF solutions with virtual patching capabilities
• Implement runtime application self-protection (RASP) tools
• Maintain isolated development, staging, and production environments
• Enforce principle of least privilege across all system components

Incident Response Readiness:

• Maintain updated incident response playbooks specific to e-commerce compromises
• Conduct regular tabletop exercises simulating breach scenarios
• Establish relationships with forensic investigators and legal counsel before incidents occur

Key Takeaways

• CVE-2024-34102 in Mirasvit Full Page Cache Warmer enables unauthenticated remote code execution with a CVSS score of 9.8
• CISA’s KEV catalog inclusion confirms active exploitation in the wild
• Federal agencies face mandatory remediation deadlines; private sector organizations should treat this with equal urgency
• Patches are available and should be applied immediately to all affected Magento installations
• Organizations unable to patch should disable the extension and implement WAF-based protections
• This incident reinforces the critical importance of third-party extension security in e-commerce environments
• Comprehensive monitoring and detection capabilities are essential for identifying compromise attempts

The addition of this vulnerability to the KEV catalog serves as a critical reminder that e-commerce platforms remain high-value targets for threat actors. Organizations must maintain vigilant patch management practices and robust security controls to protect customer data and business operations.

References

• CISA Known Exploited Vulnerabilities Catalog – https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CVE-2024-34102 – National Vulnerability Database – https://nvd.nist.gov/vuln/detail/CVE-2024-34102
• Mirasvit Security Advisory – Full Page Cache Warmer
• Adobe Commerce Security Bulletin – Third-Party Extension Updates
• CISA Binding Operational Directive 22-01 – https://www.cisa.gov/binding-operational-directive-22-01
• OWASP PHP Object Injection – https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/