Mirasvit Cache Warmer CVE-2026-45247 Added to KEV

Suspected
Discovered Jun 5, 2026

CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.

0
Affected Packages
3
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
debug[.]log
system[.]log
exception[.]log

Analysis

Executive Summary

CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog on 2026-06-03, with a federal remediation due date of 2026-06-24 [cisa.gov opens in a new tab]. The affected component is Mirasvit Cache Warmer for Magento 2, a Magento / Adobe Commerce extension commonly deployed on ecommerce sites.

This post is scoped as an exploited-vulnerability response item rather than a confirmed package-publish compromise. The supply-chain relevance is operational: a third-party Magento module running inside an ecommerce application can become the exploited boundary for admin abuse, web-tier persistence, order-data exposure, payment-flow modification, or credential theft. Operators should verify whether mirasvit/module-cache-warmer is installed and update to 1.11.12 or later where the module is present [nvd.nist.gov opens in a new tab] [packagist.org opens in a new tab].

Source-Watcher Candidate Queue — research metadata

Candidate Id: mirasvit-cache-warmer-cve-2026-45247-kev

First Seen: 2026-06-03

Decision: publish_ready

Relationship: standalone_kev

Dedupe Keys:

  • cve:CVE-2026-45247
  • composer:mirasvit/module-cache-warmer
  • vendor:Mirasvit
  • product:Magento 2 Cache Warmer

Starting Sources:

  • CISA KEV
  • Mirasvit release metadata
  • NVD
  • Adobe Commerce / Magento extension ecosystem documentation

Key Facts

Cve: CVE-2026-45247

Vendor: Mirasvit

Product: Cache Warmer for Magento 2

Composer Package: mirasvit/module-cache-warmer

Kev Added: 2026-06-03

Kev Due: 2026-06-24

Fixed Version: 1.11.12

Platform:

  • Magento 2
  • Adobe Commerce

High Value Evidence:

  • composer.lock
  • composer.json
  • vendor/mirasvit/module-cache-warmer/composer.json
  • var/log
  • web server access logs
  • Magento admin audit evidence

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA added CVE-2026-45247 to KEV on 2026-06-03.confirmedCISA's KEV catalog is the authoritative exploited-vulnerability source for this post [cisa.gov opens in a new tab].
The affected component is Mirasvit Cache Warmer for Magento 2.confirmedNVD and package metadata identify the product and package family [nvd.nist.gov opens in a new tab] [packagist.org opens in a new tab].
Version 1.11.12 is the fixed floor used by this post's hunting script.confirmedPublic package metadata and advisory references identify 1.11.12 as the remediation target [nvd.nist.gov opens in a new tab] [packagist.org opens in a new tab].
Public sources currently identify a specific ransomware family or victim list.not_observedReviewed public sources do not provide a verified campaign name, victim count, or exploit-chain detail.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decisionClosure condition
Confirmed compromiseUnpatched Cache Warmer plus suspicious admin, module, webshell, order, payment, or file-write evidence.Version evidence, web logs, Magento logs, admin user history, filesystem changes, WAF alerts, and payment-flow review.Preserve evidence, restrict admin access, update module, rotate credentials, and inspect ecommerce integrity.Fixed module, clean admin review, no unauthorized file/payment changes, and rotated credentials.
Presumed exposedInstalled Cache Warmer below 1.11.12 or version unknown on internet-exposed Magento.Composer inventory, module file paths, and public exposure evidence.Update immediately and collect logs around KEV disclosure.Version proof at 1.11.12 or later and negative log review.
Potentially exposedMagento estate may include Mirasvit Cache Warmer but inventory is incomplete.Commerce asset inventory, Composer lockfiles, deployment manifests, and extension lists.Inventory all Magento applications and extensions.Each site is dispositioned as confirmed, presumed, or not exposed.
Not exposedNo Mirasvit Cache Warmer package or module path exists in complete Magento estate inventory.Negative Composer and filesystem evidence.Preserve negative search results.Coverage includes production, staging, build images, and release artifacts.
UnknownComposer, deployment, logs, or admin evidence is missing.Named gap with owner and retention window.Keep site and admin credentials in scope until evidence or rotation closes the gap.Evidence is recovered or risk owner accepts residual uncertainty.

Timeline

  • 2026-06-03: CISA adds CVE-2026-45247 to KEV with a 2026-06-24 remediation due date [cisa.gov opens in a new tab].
  • 2026-06-05: This Halting Problems refresh found no existing local post for CVE-2026-45247 and created this Magento-focused hunting report.

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Domains

  • system.log
  • exception.log
  • debug.log

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Remediation and Closure

  1. Upgrade mirasvit/module-cache-warmer to 1.11.12 or later across production, staging, build images, and release artifacts.
  2. Restrict Magento admin access and review all admin sessions and user changes since 2026-06-03.
  3. Rotate Magento admin credentials, API tokens, deployment keys, and payment-provider credentials when compromise is confirmed or logs are incomplete.
  4. Verify ecommerce integrity: no unauthorized PHP files, cron jobs, layout XML changes, JavaScript checkout changes, or payment configuration changes.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 5, 2026DiscoveryDiscovery recorded for Mirasvit Cache Warmer CVE-2026-45247 Added to KEV.nvd.nist.gov
Jun 5, 2026DisclosureDisclosure recorded for Mirasvit Cache Warmer CVE-2026-45247 Added to KEV.nvd.nist.gov
Jun 5, 2026First seenFirst seen recorded for Mirasvit Cache Warmer CVE-2026-45247 Added to KEV.nvd.nist.gov
Jun 5, 2026Mirasvit Cache Warmer CVE-2026-45247 Added to KEVUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

3 IOCs
domaindebug.log
domainsystem.log
domainexception.log

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Mirasvit Cache Warmer CVE-2026-45247 Added to KEV?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Mirasvit Cache Warmer CVE-2026-45247 Added to KEV?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-mirasvit-cache-warmer-cve-2026-45247-kev-scope"))

DOMAINS = ["system.log","exception.log","debug.log"]

# Collect unique indicators
indicators = set()
for group in [DOMAINS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.
experienceleague.adobe.comSecurity Researcher95%1CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.
cisa.govSecurity Researcher95%1CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.
packagist.orgSecurity Researcher95%1CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.