Mirasvit Cache Warmer CVE-2026-45247 Added to KEV

Executive Summary

CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog on 2026-06-03, with a federal remediation due date of 2026-06-24 [Source 1]. The affected component is Mirasvit Cache Warmer for Magento 2, a Magento / Adobe Commerce extension commonly deployed on ecommerce sites.

This post is scoped as an exploited-vulnerability response item rather than a confirmed package-publish compromise. The supply-chain relevance is operational: a third-party Magento module running inside an ecommerce application can become the exploited boundary for admin abuse, web-tier persistence, order-data exposure, payment-flow modification, or credential theft. Operators should verify whether mirasvit/module-cache-warmer is installed and update to 1.11.12 or later where the module is present [Source 2] [Source 3].

Source-Watcher Candidate Queue

candidate_id: "mirasvit-cache-warmer-cve-2026-45247-kev"
first_seen: "2026-06-03"
decision: "publish_ready"
relationship: "standalone_kev"
dedupe_keys:
  - "cve:CVE-2026-45247"
  - "composer:mirasvit/module-cache-warmer"
  - "vendor:Mirasvit"
  - "product:Magento 2 Cache Warmer"
starting_sources:
  - "CISA KEV"
  - "Mirasvit release metadata"
  - "NVD"
  - "Adobe Commerce / Magento extension ecosystem documentation"

Key Facts

cve: "CVE-2026-45247"
vendor: "Mirasvit"
product: "Cache Warmer for Magento 2"
composer_package: "mirasvit/module-cache-warmer"
kev_added: "2026-06-03"
kev_due: "2026-06-24"
fixed_version: "1.11.12"
platform:
  - "Magento 2"
  - "Adobe Commerce"
high_value_evidence:
  - "composer.lock"
  - "composer.json"
  - "vendor/mirasvit/module-cache-warmer/composer.json"
  - "var/log"
  - "web server access logs"
  - "Magento admin audit evidence"

Source Confidence and Claim Ledger

Claim	Status	Evidence
CISA added CVE-2026-45247 to KEV on 2026-06-03.	confirmed	CISA’s KEV catalog is the authoritative exploited-vulnerability source for this post [Source 1].
The affected component is Mirasvit Cache Warmer for Magento 2.	confirmed	NVD and package metadata identify the product and package family [Source 2] [Source 3].
Version 1.11.12 is the fixed floor used by this post’s hunting script.	confirmed	Public package metadata and advisory references identify 1.11.12 as the remediation target [Source 2] [Source 3].
Public sources currently identify a specific ransomware family or victim list.	not_observed	Reviewed public sources do not provide a verified campaign name, victim count, or exploit-chain detail.

Impact Determination

Classification	Criteria	Required evidence	Handling decision	Closure condition
Confirmed compromise	Unpatched Cache Warmer plus suspicious admin, module, webshell, order, payment, or file-write evidence.	Version evidence, web logs, Magento logs, admin user history, filesystem changes, WAF alerts, and payment-flow review.	Preserve evidence, restrict admin access, update module, rotate credentials, and inspect ecommerce integrity.	Fixed module, clean admin review, no unauthorized file/payment changes, and rotated credentials.
Presumed exposed	Installed Cache Warmer below 1.11.12 or version unknown on internet-exposed Magento.	Composer inventory, module file paths, and public exposure evidence.	Update immediately and collect logs around KEV disclosure.	Version proof at 1.11.12 or later and negative log review.
Potentially exposed	Magento estate may include Mirasvit Cache Warmer but inventory is incomplete.	Commerce asset inventory, Composer lockfiles, deployment manifests, and extension lists.	Inventory all Magento applications and extensions.	Each site is dispositioned as confirmed, presumed, or not exposed.
Not exposed	No Mirasvit Cache Warmer package or module path exists in complete Magento estate inventory.	Negative Composer and filesystem evidence.	Preserve negative search results.	Coverage includes production, staging, build images, and release artifacts.
Unknown	Composer, deployment, logs, or admin evidence is missing.	Named gap with owner and retention window.	Keep site and admin credentials in scope until evidence or rotation closes the gap.	Evidence is recovered or risk owner accepts residual uncertainty.

Timeline

• 2026-06-03: CISA adds CVE-2026-45247 to KEV with a 2026-06-24 remediation due date [Source 1].
• 2026-06-05: This Halting Problems refresh found no existing local post for CVE-2026-45247 and created this Magento-focused hunting report.

Machine-Readable Event Profile

{
  "event_id": "mirasvit-cache-warmer-cve-2026-45247-kev",
  "title": "Mirasvit Cache Warmer CVE-2026-45247 Added to KEV",
  "first_seen": "2026-06-03",
  "published": "2026-06-05",
  "severity": "high",
  "ecosystem": ["Magento", "Adobe Commerce", "Composer"],
  "cve": "CVE-2026-45247",
  "vendor": "Mirasvit",
  "product": "Cache Warmer for Magento 2",
  "composer_package": "mirasvit/module-cache-warmer",
  "fixed_version": "1.11.12",
  "known_behaviors": [
    "exploitation of third-party Magento extension",
    "possible Magento admin or web-tier follow-on activity",
    "possible ecommerce data and payment-flow integrity risk"
  ],
  "primary_sources": [
    "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
    "https://nvd.nist.gov/vuln/detail/CVE-2026-45247",
    "https://packagist.org/packages/mirasvit/module-cache-warmer",
    "https://experienceleague.adobe.com/docs/commerce-operations/installation-guide/tutorials/extensions.html"
  ]
}

Indicators of Compromise

packages:
  - "mirasvit/module-cache-warmer"
fixed_versions:
  - "mirasvit/module-cache-warmer@1.11.12"
files:
  - "composer.lock"
  - "composer.json"
  - "vendor/mirasvit/module-cache-warmer/composer.json"
  - "app/code/Mirasvit/CacheWarmer"
  - "var/log/system.log"
  - "var/log/exception.log"
  - "var/log/debug.log"
paths:
  - "vendor/mirasvit/module-cache-warmer"
  - "app/code/Mirasvit/CacheWarmer"
telemetry_selectors:
  - "CVE-2026-45247"
  - "mirasvit/module-cache-warmer"
  - "Mirasvit"
  - "CacheWarmer"
  - "cache-warmer"
  - "cache_warmer"

Detection and Hunting

Use the reusable audit script at scripts/threat-posts/mirasvit_cache_warmer_cve_2026_45247_audit.py.

python3 scripts/threat-posts/mirasvit_cache_warmer_cve_2026_45247_audit.py \
  --magento-root /srv/magento-export \
  --logs /srv/magento-web-admin-logs \
  --output hp-mirasvit-cache-warmer-cve-2026-45247-audit.json \
  --fail-on-open

Positive signal: mirasvit/module-cache-warmer below 1.11.12, unknown installed version, or web/admin logs referencing suspicious Cache Warmer activity. Escalation: any positive signal on an internet-exposed Magento application requires module update, admin credential review, and file/payment-flow integrity checks.

KQL: web and WAF logs

let startTime = datetime(2026-06-03T00:00:00Z);
let endTime = now();
union isfuzzy=true W3CIISLog, AzureDiagnostics
| where TimeGenerated between (startTime .. endTime)
| where tostring(csUriStem) has_any ("cache-warmer", "cache_warmer", "Mirasvit", "CacheWarmer")
   or tostring(requestUri_s) has_any ("cache-warmer", "cache_warmer", "Mirasvit", "CacheWarmer")
| project TimeGenerated, Computer, cIP, csMethod, csUriStem, scStatus, UserAgent=csUserAgent, requestUri_s

Positive signal: unauthenticated or unusual admin-adjacent traffic hitting Cache Warmer routes after KEV publication. False positives include legitimate cache prewarming jobs from known internal IPs.

Splunk: Magento logs

index=magento OR index=web earliest="06/03/2026:00:00:00"
("mirasvit/module-cache-warmer" OR "CacheWarmer" OR "cache-warmer" OR "cache_warmer" OR "CVE-2026-45247")
| table _time host source sourcetype clientip user method uri status useragent message

Positive signal: Cache Warmer errors, admin activity, or route traffic from unexpected clients. Escalate when paired with admin login anomalies, new admin users, extension file changes, or checkout/payment template modifications.

Downstream Abuse Audits

Audit Magento admin users, API integrations, OAuth tokens, deployment keys, cron jobs, modified PHP files, checkout templates, payment gateway configuration, and recent order export activity. Preserve composer.lock, deployed module files, web logs, WAF logs, Magento logs, and admin account exports before cleanup.

Remediation Gates

1. Upgrade mirasvit/module-cache-warmer to 1.11.12 or later across production, staging, build images, and release artifacts.
2. Restrict Magento admin access and review all admin sessions and user changes since 2026-06-03.
3. Rotate Magento admin credentials, API tokens, deployment keys, and payment-provider credentials when compromise is confirmed or logs are incomplete.
4. Verify ecommerce integrity: no unauthorized PHP files, cron jobs, layout XML changes, JavaScript checkout changes, or payment configuration changes.

Sources

1. CISA Known Exploited Vulnerabilities catalog
2. NVD: CVE-2026-45247
3. Packagist: mirasvit/module-cache-warmer
4. Adobe Commerce extension installation guidance