Introduction
On June 3, 2026, CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities (KEV) Catalog, signaling a critical shift in the threat landscape for e-commerce platforms utilizing the Mirasvit ecosystem. This vulnerability, identified as a Deserialization of Untrusted Data flaw in the Mirasvit Full Page Cache Warmer, is not theoretical—CISA has confirmed evidence of active exploitation in the wild.
For defenders managing federal civilian networks or commercial e-commerce infrastructures, this is a "drop everything" moment. Deserialization vulnerabilities are a premier pathway for initial access, often leading to Remote Code Execution (RCE) and subsequent ransomware deployment. Under Binding Operational Directive (BOD) 22-01, FCEB agencies have a strict deadline to remediate, but private sector entities should treat this with equal urgency to prevent supply chain compromise.
Technical Analysis
Affected Component: The vulnerability resides within the Mirasvit Full Page Cache Warmer extension, a popular performance optimization plugin typically deployed on Magento and Adobe Commerce environments. This component is designed to pre-load cache pages to improve user experience.
Vulnerability Mechanics (CVE-2026-45247): The flaw stems from insecure deserialization of user-supplied data. The application accepts serialized objects (typically PHP objects) via specific endpoints and processes them without adequate integrity checks or type validation.
- Attack Vector: A malicious actor crafts a serialized payload containing a "gadget chain"—a sequence of existing PHP classes that, when instantiated during deserialization, trigger dangerous side effects (e.g.,
eval(),system(), or file write operations). - Impact: Successful exploitation allows the attacker to execute arbitrary code on the underlying web server with the privileges of the web application user (often
www-dataorapache). This effectively breaches the perimeter, allowing for webshell deployment, data exfiltration, and lateral movement.
Exploitation Status:
- CISA KEV: Listed (Active Exploitation Confirmed).
- CVSS Score: While the specific score is pending final publication, deserialization flaws with confirmed exploits typically score 9.8 (Critical) due to the network attack vector and high impact on confidentiality, integrity, and availability.
Detection & Response
Given the active exploitation status, security teams must assume compromise is possible. Below are detection mechanisms tailored to identify exploitation attempts against the Mirasvit Cache Warmer and subsequent webshell activity.
Sigma Rules
---
title: Potential Exploitation of Mirasvit Cache Warmer Deserialization
id: 9c8e7f12-a345-4b8a-9c1d-2e3f4a5b6c7d
status: experimental
description: Detects suspicious HTTP POST requests to Mirasvit Full Page Cache Warmer endpoints, which may indicate attempts to exploit CVE-2026-45247 via deserialization payloads.
references:
- https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/06/04
tags:
- attack.initial_access
- attack.web_shell
- attack.t1190
logsource:
category: webserver
product: apache
# or nginx/iis depending on env
detection:
selection:
c|contains: 'POST'
cs-uri-stem|contains:
- '/warmer/index/index'
- '/cache_warmer/proxy/index'
selection_content:
cs-bytes|gt: 500 # Deserialization payloads (PHP objects) are often larger than standard cache requests
condition: selection and selection_content
falsepositives:
- Legitimate heavy cache warming requests (unlikely to be POST)
level: high
---
title: Web Server Process Spawning Shell (Potential Webshell)
id: b1d2e3f4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the web server user spawning a shell process, a common indicator of successful RCE via CVE-2026-45247.
author: Security Arsenal
date: 2026/06/04
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/httpd'
- '/nginx'
- '/apache2'
- '/php-fpm'
selection_child:
Image|endswith:
- '/bash'
- '/sh'
- '/perl'
- '/python'
- '/nc'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administrative scripts executed by cron
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for anomalous POST requests to Cache Warmer endpoints
Syslog
| where ProcessName contains "nginx" or ProcessName contains "httpd" or ProcessName contains "apache"
| parse SyslogMessage with * "Method: " Method ", RequestURI: " RequestURI *
| where Method == "POST" and (RequestURI contains "/warmer/" or RequestURI contains "/cache_warmer/")
| extend PayloadSize = toint(substring(SyslogMessage, indexof(SyslogMessage, "Content-Length:"), 50))
| where isnotempty(PayloadSize) and PayloadSize > 1000
| project TimeGenerated, ComputerName, SourceIP, RequestURI, PayloadSize, SyslogMessage
| order by TimeGenerated desc
Velociraptor VQL
-- Hunt for recent PHP file modifications in the Mirasvit module directory
-- and potential webshell artifacts in the cache warmer path
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/*/*/app/code/Mirasvit/CacheWarmer/**/*.php')
WHERE Mtime > timestamp("2026-06-01")
OR Size < 200 // Detect small suspicious PHP files often used as webshells
-- Hunt for webserver processes spawning shells
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name IN ('bash', 'sh', 'perl', 'python')
AND Ppid IN (
SELECT Pid
FROM pslist()
WHERE Name IN ('httpd', 'nginx', 'apache2', 'php-fpm')
)
Remediation Script (Bash)
#!/bin/bash
# Remediation Audit Script for CVE-2026-45247
# Checks for Mirasvit module presence and known bad file hashes/locations
echo "[+] Checking for Mirasvit Full Page Cache Warmer installation..."
# Common Magento paths
MAGENTO_ROOT="/var/www/html"
MODULE_PATH="app/code/Mirasvit/CacheWarmer"
if [ -d "$MAGENTO_ROOT/$MODULE_PATH" ]; then
echo "[!] Module found at $MAGENTO_ROOT/$MODULE_PATH"
echo "[+] Checking for recent modifications (Last 7 days)..."
find "$MAGENTO_ROOT/$MODULE_PATH" -name "*.php" -mtime -7 -ls
echo "[!] ACTION REQUIRED: Review the composer. and update the Mirasvit module immediately."
echo " Apply the patch referenced in the vendor advisory for CVE-2026-45247."
else
echo "[-] Module not found in default path."
fi
echo "[+] Scanning for suspicious .php files in var/cache or pub/media (Webshell staging)..."
find "$MAGENTO_ROOT/pub/media" -name "*.php" -ls
find "$MAGENTO_ROOT/var/cache" -name "*.php" -ls
echo "[+] Audit complete."
Remediation
1. Patching: The primary remediation is to apply the vendor-supplied patch immediately. Mirasvit has released updates addressing this deserialization flaw.
- Action: Update the
mirasvit/module-cache-warmerto the latest patched version via Composer. - Command:
composer require mirasvit/module-cache-warmer:<patched_version> - Verify the update in
composer.lockand clear all caches (bin/magento cache:clean).
2. CISA Deadlines: Per BOD 22-01, FCEB agencies must remediate this vulnerability by the date specified in the KEV entry (typically within weeks of addition). Private sector entities should aim for remediation within 24-48 hours given the active exploitation status.
3. Network Controls:
- Restrict access to the Cache Warmer endpoints (e.g.,
/warmer/,/cache_warmer/) via IP whitelisting if the functionality is only required internally. - Ensure Web Application Firewalls (WAF) are updated with signatures targeting PHP object injection patterns commonly used in deserialization attacks.
4. Post-Incident Forensics: If exploitation is suspected, initiate a full scope IR engagement. Focus on:
- Webshell identification.
- Checking for persistence mechanisms (cron jobs, SSH keys).
- Validating database integrity (defacement or credential dumping).
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.