Detect Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247) in Microsoft Sentinel
Detects exploitation of CVE-2026-45247, a deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer Magento extension. Successful exploitation allows remote attackers to execute arbitrary code by sending crafted serialized PHP objects to vulnerable endpoints. This CVE is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
let suspiciousPatterns = dynamic(['/cache-warmer/', '/mirasvit/cachewarmer/', 'O:', 'C:', 'rO0']);
let timeWindow = 1h;
union
(
W3CIISLog
| where TimeGenerated >= ago(timeWindow)
| where csUriStem has_any ('/cache-warmer/', '/mirasvit/', '/cachewarmer/')
| where csMethod in ('POST', 'PUT')
| where csBytes > 500
| extend SuspiciousPayload = csUriQuery has_any ('O:', 'C:', 'rO0') or csBytes > 5000
| project TimeGenerated, csHost, csMethod, csUriStem, csUriQuery, csBytes, cIP = csClientIP, scStatus, SuspiciousPayload
),
(
AzureDiagnostics
| where TimeGenerated >= ago(timeWindow)
| where Category == 'ApplicationGatewayAccessLog'
| where requestUri_s has_any ('/cache-warmer/', '/mirasvit/', '/cachewarmer/')
| where httpMethod_s in ('POST', 'PUT')
| project TimeGenerated, Host = hostname_s, Method = httpMethod_s, Uri = requestUri_s, ClientIP = clientIP_s, Status = httpStatus_d
),
(
SecurityAlert
| where TimeGenerated >= ago(timeWindow)
| where AlertName has_any ('deserialization', 'php', 'magento')
)
| summarize RequestCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by tostring(cIP), csHost, csUriStem
| where RequestCount >= 1Detects HTTP requests targeting Mirasvit Full Page Cache Warmer endpoints with characteristics consistent with PHP deserialization exploitation, including POST/PUT methods to warmer paths and large or suspicious payloads. Also correlates with WAF and security alert signals.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cache warming bots or crawlers sending POST requests to warmer endpoints
- Security scanners performing vulnerability assessments against the Magento store
- Internal load testing tools targeting cache warmer URLs with large payloads
- Magento cron jobs legitimately warming the page cache via POST requests
Other platforms for CVE-2026-45247
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Deserialization Probe to Cache Warmer Endpoint
Expected signal: POST request to /mirasvit/cachewarmer/collect visible in web access logs with payload containing 'O:8:' serialization marker; HTTP response code logged
- Test 2PHP Deserialization Gadget Chain Simulation (Lab)
Expected signal: PHP CLI process spawned with command-line containing unserialize() — visible in auditd execve records or CrowdStrike process telemetry
- Test 3Web Shell Drop Simulation Following Deserialization RCE
Expected signal: File creation event in /var/www/html/pub/ for a .php file by the web server user (www-data or nginx); auditd CREATE record or Falcon sensor file event
Unlock Pro Content
Get the full detection package for CVE-2026-45247 including response playbook, investigation guide, and atomic red team tests.