CVE-2026-45247: Mirasvit Full Page Cache Warmer Exploited — Patch Now

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) Catalog. This CVE involves a deserialization of untrusted data vulnerability within the Mirasvit Full Page Cache Warmer, a popular extension used to optimize performance for Magento e-commerce platforms. According to CISA, there is evidence of active exploitation in the wild, posing a significant risk to the integrity and availability of web servers hosting the affected software.

Technical Analysis of CVE-2026-45247

Deserialization of untrusted data occurs when an application receives a serialized object from an unverified source and attempts to reconstruct it without sufficient validation. In the context of PHP-based extensions like Mirasvit, this TTP often leads to RCE. Attackers can craft malicious serialized payloads that, when processed by the server, trigger the execution of arbitrary commands.

Because Magento environments often handle sensitive customer data and financial transactions, gaining code execution on these systems allows threat actors to perform Privilege Escalation, install web shells, or exfiltrate databases. The exploitation of deserialization of untrusted data in Magento extensions is a recurring theme for e-commerce threats, as these platforms often rely on complex third-party codebases that may not always undergo rigorous security auditing.

How to detect CVE-2026-45247 exploit

Security teams and SOC analysts should monitor web server logs for suspicious patterns that indicate an exploitation attempt. Indicators of compromise (IoC) typically involve unusual POST requests directed at endpoints associated with the Mirasvit Full Page Cache Warmer extension. Specifically, look for large, encoded strings in request parameters that resemble serialized PHP objects.

Furthermore, defenders should use EDR tools to identify unauthorized child processes spawning from the web server user (e.g., www-data or apache). If a web server suddenly initiates outbound connections to unknown IP addresses, it may indicate a C2 callback following a successful exploit. Mapping these activities against the MITRE ATT&CK framework, specifically Technique T1190 (Exploit Public-Facing Application), can help provide context for incident response.

Impact on Federal and Private Organizations

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate vulnerabilities listed in the KEV catalog within a specific timeframe. While this directive is legally binding only for federal agencies, the inclusion of CVE-2026-45247 serves as a high-priority warning for the private sector.

E-commerce platforms are frequent targets for APT groups and financially motivated cybercriminals who seek to inject skimming scripts or deploy Ransomware. Failure to address this flaw could lead to a massive Data Breach or a Supply Chain Attack scenario if the extension is used across multiple managed storefronts.

Mirasvit Full Page Cache Warmer patch guidance

The primary recommendation for all affected organizations is to update the Mirasvit extension to the latest secure version provided by the vendor. This is the most effective way to eliminate the deserialization vector. If an immediate update is not feasible, consider the following temporary mitigations:

• Restrict Access: Use a Web Application Firewall (WAF) to block requests containing serialized PHP objects directed at the extension’s functional endpoints.
• Disable the Extension: If the cache warmer functionality is not essential for immediate business operations, disable the extension until a patch can be verified and deployed.
• Verify Permissions: Ensure that the web server user has the minimum necessary permissions to prevent attackers from achieving further persistence or Lateral Movement if the initial entry point is exploited.

Timely remediation is essential, as the window between KEV inclusion and widespread automated scanning is typically very narrow.