CISA adds Mirasvit deserialization flaw to KEV Catalog
For FCEB agencies, the catalog entry turns a patch priority into a BOD 22-01 compliance deadline.
TL;DR
CISA added CVE-2026-45247, a Mirasvit Full Page Cache Warmer deserialization of untrusted data flaw, to the Known Exploited Vulnerabilities Catalog based on active exploitation. Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities by the applicable due date. Contractors and vendors supporting FCEB systems should coordinate patching, but CISA’s alert does not state a specific due date or workaround.
CISA’s June 3 alert is a routine KEV update with direct compliance consequences. CVE-2026-45247 now sits in the Known Exploited Vulnerabilities Catalog, which means Federal Civilian Executive Branch agencies have to remediate it under Binding Operational Directive 22-01 by the applicable catalog due date. For contractors and vendors operating or supporting affected FCEB environments, the Monday task is practical: confirm exposure to Mirasvit Full Page Cache Warmer, check vendor remediation guidance, and align patch timing with the agency’s BOD 22-01 deadline. The alert itself does not provide a workaround or the specific due date.
Published ·Updated ·Deep Fathom