CISA Adds One Known Exploited Vulnerability to Catalog (CVE-2026-45247)

What Happened

CISA has issued a warning regarding a software flaw in the Mirasvit Full Page Cache Warmer that is currently being exploited by attackers. This vulnerability allows malicious actors to manipulate data in a way that could compromise affected systems. Any organization using this software is at risk of being targeted. System administrators should immediately apply the latest security updates or patches provided by the vendor to secure their networks.

Key Takeaways

• CISA has added CVE-2026-45247 to the Known Exploited Vulnerabilities (KEV) Catalog.
• The vulnerability affects Mirasvit Full Page Cache Warmer and involves the deserialization of untrusted data.
• There is evidence of active exploitation of this vulnerability in the wild.
• Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by a specified due date.

Affected Systems

• Mirasvit Full Page Cache Warmer

Vulnerabilities (CVEs)

• CVE-2026-45247

Attack Chain

Malicious actors are actively exploiting CVE-2026-45247, a deserialization vulnerability in the Mirasvit Full Page Cache Warmer. By supplying untrusted data to the application, attackers can likely achieve unauthorized access or remote code execution. Specific post-exploitation activities, payloads, and infrastructure are not detailed in the alert.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert focuses solely on the vulnerability itself and does not provide specific post-exploitation indicators or behaviors for EDR platforms to detect. Network Visibility: Medium — Network sensors such as WAFs or IDS/IPS may be able to detect malicious deserialization payloads targeting the Mirasvit application if appropriate signatures are deployed. Detection Difficulty: Moderate — Detecting exploitation requires visibility into web traffic and specific WAF rules tailored to identify deserialization attacks targeting this specific application.

Required Log Sources

• Web Application Firewall (WAF) logs
• Web server access logs
• Application error logs

Hunting Hypotheses

Control Gaps

• Lack of WAF rules for specific deserialization payloads
• Unpatched public-facing web applications

Key Behavioral Indicators

• Anomalous web requests to Mirasvit endpoints
• Application crashes or errors related to deserialization processes

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify all instances of Mirasvit Full Page Cache Warmer deployed within your environment.
• Apply vendor-supplied patches or updates for CVE-2026-45247 immediately where supported by your tooling.

Infrastructure Hardening

• Evaluate whether public-facing applications are placed behind a Web Application Firewall (WAF) with updated rulesets to block deserialization attacks.
• Consider whether network segmentation can be improved to isolate vulnerable web applications from critical internal networks.

User Protection

• N/A

Security Awareness

• Consider incorporating CISA KEV catalog monitoring into your organization's standard vulnerability management program.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application