CVE-2026-45247

Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247)

Initial Access Execution Persistence Last updated:

Detects exploitation of CVE-2026-45247, a deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer Magento extension. Successful exploitation allows remote attackers to execute arbitrary code by sending crafted serialized PHP objects to vulnerable endpoints. This CVE is listed in CISA KEV, indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Mirasvit
Product
Mirasvit Full Page Cache Warmer

Weakness (CWE)

CWE-502

Timeline

Disclosed
June 3, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247)?

Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247) (CVE-2026-45247) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247), covering the data sources and telemetry it touches: W3CIISLog, AzureDiagnostics, SecurityAlert, CommonSecurityLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
let suspiciousPatterns = dynamic(['/cache-warmer/', '/mirasvit/cachewarmer/', 'O:', 'C:', 'rO0']);
let timeWindow = 1h;
union
(
  W3CIISLog
  | where TimeGenerated >= ago(timeWindow)
  | where csUriStem has_any ('/cache-warmer/', '/mirasvit/', '/cachewarmer/')
  | where csMethod in ('POST', 'PUT')
  | where csBytes > 500
  | extend SuspiciousPayload = csUriQuery has_any ('O:', 'C:', 'rO0') or csBytes > 5000
  | project TimeGenerated, csHost, csMethod, csUriStem, csUriQuery, csBytes, cIP = csClientIP, scStatus, SuspiciousPayload
),
(
  AzureDiagnostics
  | where TimeGenerated >= ago(timeWindow)
  | where Category == 'ApplicationGatewayAccessLog'
  | where requestUri_s has_any ('/cache-warmer/', '/mirasvit/', '/cachewarmer/')
  | where httpMethod_s in ('POST', 'PUT')
  | project TimeGenerated, Host = hostname_s, Method = httpMethod_s, Uri = requestUri_s, ClientIP = clientIP_s, Status = httpStatus_d
),
(
  SecurityAlert
  | where TimeGenerated >= ago(timeWindow)
  | where AlertName has_any ('deserialization', 'php', 'magento')
)
| summarize RequestCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by tostring(cIP), csHost, csUriStem
| where RequestCount >= 1

Detects HTTP requests targeting Mirasvit Full Page Cache Warmer endpoints with characteristics consistent with PHP deserialization exploitation, including POST/PUT methods to warmer paths and large or suspicious payloads. Also correlates with WAF and security alert signals.

critical severity medium confidence

Data Sources

W3CIISLog AzureDiagnostics SecurityAlert CommonSecurityLog

Required Tables

W3CIISLog AzureDiagnostics SecurityAlert

False Positives

  • Legitimate cache warming bots or crawlers sending POST requests to warmer endpoints
  • Security scanners performing vulnerability assessments against the Magento store
  • Internal load testing tools targeting cache warmer URLs with large payloads
  • Magento cron jobs legitimately warming the page cache via POST requests

Sigma rule & cross-platform mapping

The detection logic for Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247) (CVE-2026-45247) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-45247 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-45247

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Deserialization Probe to Cache Warmer Endpoint

    Expected signal: POST request to /mirasvit/cachewarmer/collect visible in web access logs with payload containing 'O:8:' serialization marker; HTTP response code logged

  2. Test 2PHP Deserialization Gadget Chain Simulation (Lab)

    Expected signal: PHP CLI process spawned with command-line containing unserialize() — visible in auditd execve records or CrowdStrike process telemetry

  3. Test 3Web Shell Drop Simulation Following Deserialization RCE

    Expected signal: File creation event in /var/www/html/pub/ for a .php file by the web server user (www-data or nginx); auditd CREATE record or Falcon sensor file event

Unlock Pro Content

Get the full detection package for CVE-2026-45247 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections