🛡️ 🚨 SECURITY ALERT — CISA KEV CATALOG UPDATE: CVE-2026-45247 ACTIVELY EXPLOITED

BLUF: CISA has added CVE-2026-45247, a deserialization vulnerability in the Mirasvit Full Page Cache Warmer plugin, to its Known Exploited Vulnerabilities Catalog, confirming active exploitation in the wild. Organizations running this Magento/Adobe Commerce extension should treat this as an immediate priority.

DETAILS

• CVE-2026-45247 has been formally added to CISA’s KEV Catalog, indicating confirmed evidence of active exploitation — not merely theoretical risk.
• The vulnerability affects Mirasvit Full Page Cache Warmer, a widely used performance extension for Magento/Adobe Commerce e-commerce platforms.
• The vulnerability class is deserialization — a category historically associated with remote code execution (RCE) and full system compromise. ⚠️ Specific exploit chain and confirmed impact severity have not been fully disclosed in available source data at time of publication.
• CVSS score, patch availability, and affected version range are not confirmed in the triggering advisory — organizations should consult the CVE record and Mirasvit’s official channels directly.
• Federal civilian agencies are subject to mandatory remediation timelines under BOD 22-01. Private sector organizations are strongly encouraged to follow the same cadence.

IMPACT

• Directly affected: Organizations operating Magento 2 / Adobe Commerce storefronts with the Mirasvit Full Page Cache Warmer extension installed.
• Scope: E-commerce environments globally. Deserialization flaws in this context may expose customer PII, payment data pipelines, and backend administrative access.
• Broader context: This advisory arrives amid an elevated threat tempo — CISA and industry sources are simultaneously tracking active exploitation of WordPress plugins, LMS platforms, and PHP supply chain packages, suggesting broad opportunistic scanning across web application stacks.

RECOMMENDED ACTIONS

1. Immediately audit all environments for presence of the Mirasvit Full Page Cache Warmer extension.
2. Check Mirasvit’s official release channel for a patched version and apply without delay.
3. If no patch is available, consider disabling the extension until remediation is confirmed.
4. Review web server and application logs for anomalous deserialization activity or unexpected admin-level actions.
5. Federal agencies: Remediate per BOD 22-01 mandatory timelines. Confirm compliance with your CISO.
6. Monitor CISA’s KEV Catalog for updated guidance as additional details are released.

⚠️ UNCERTAINTY FLAGS

• Patch availability, affected version range, and confirmed CVSS score are not verified in source data. Do not assume a patch exists before checking vendor channels.
• Full exploitation impact (RCE, data exfiltration, privilege escalation) is not confirmed in available details.

SOURCES

• CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog
• CVE Record: CVE-2026-45247 — cve.org
• CISA Binding Operational Directive 22-01