CISA adds Three Vulnerabilities to KEV Catalog

CISA adds Three Vulnerabilities to KEV Catalog

No Comments

Overview

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation — CVE-2022-0492, a Linux Kernel Improper Authentication vulnerability, and CVE-2025-48595, an Android Framework Integer Overflow vulnerability. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Separately, CISA also catalogued CVE-2026-45247, a critical unauthenticated RCE in a widely deployed Magento extension. Three CVEs, three distinct attack surfaces, one unified urgency signal from CISA.

CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento) Deserialization RCE

CVSS: 9.8 (Critical)
Type: Deserialization of Untrusted Data
Affected Versions: Mirasvit Cache Warmer < 1.11.12
Fixed Version: 1.11.12 (released May 25, 2026)
BOD 22-01 Federal Deadline: June 6, 2026

CVE-2026-45247 is a deserialization of untrusted data vulnerability in Mirasvit Full Page Cache Warmer, a popular Magento full-page cache extension. It could be exploited by unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. The shortcoming impacts all versions of the extension prior to version 1.11.12.

Exploitation in the Wild

The activity has primarily targeted gaming and business sites, with the US, UK, France, and Australia emerging as the most targeted countries. It is currently not known who is behind the exploitation efforts, although the end goal appears to be flagging vulnerable Magento environments and confirming that remote code execution is possible.

Detection Indicator

To detect potential exploitation attempts, site owners are advised to audit storefront requests that carry a CacheWarmer cookie whose value contains the marker “CacheWarmer:” followed by a Base64-encoded string. Serialized PHP objects Base64-encode to recognisable patterns that can be matched via WAF rules or log inspection.

Exploitation Mechanics

The attack path is zero-authentication, zero-interaction. An attacker crafts a malicious serialized PHP object, encodes it in Base64, and injects it as the CacheWarmer cookie value in a standard storefront HTTP request. The server deserializes the object during cache warming logic processing, triggering arbitrary PHP code execution with web server privileges. No account, no session, no prior foothold required. This is a network-reachable RCE on any unpatched Magento deployment running the affected extension.

CVE-2022-0492 — Linux Kernel cgroups v1 Container Escape

CVSS: 7.0 (High)
Type: Improper Authentication / Privilege Escalation
Component: Linux Kernel — cgroups v1 release_agent functionality
BOD 22-01 Federal Deadline: June 5, 2026

CVE-2022-0492 can be exploited by an attacker to escape a container and execute arbitrary commands on the container host. The flaw resides in the cgroups v1 release_agent functionality, which is executed after the termination of any process in the group. The issue is a privilege escalation flaw affecting the Linux kernel feature called control groups (cgroups), which limits, accounts for, and isolates the resource usage — CPU, memory, disk I/O, network — of a collection of processes.

Why a 2022 CVE Is Being KEV-Listed in 2026

This is a critical nuance. CVE-2022-0492 was patched four years ago — but CISA’s KEV addition in June 2026 confirms it is still being actively weaponised in real-world attacks. The most likely reason: container escape vulnerabilities have surged in operational relevance as Kubernetes, Docker, and containerised workloads became ubiquitous across enterprise and cloud environments. Unpatched or legacy Linux kernel deployments — particularly in cloud VMs, IoT infrastructure, embedded systems, and long-lifecycle enterprise servers — remain exploitable. The KEV listing is CISA’s signal that threat actors are actively scanning for and exploiting this gap right now.

Container Escape Mechanics

The release_agent file in cgroups v1 specifies a path to a program that the kernel executes when the last process in a cgroup exits. Under certain misconfigurations or insufficient namespace isolation, a container with write access to the release_agent path can inject a command that executes with host-level privileges upon process exit — effectively escaping the container boundary entirely. This is a well-documented container breakout primitive that has appeared in multiple real-world attack chains against Kubernetes clusters and cloud-native infrastructure.

CVE-2025-48595 — Android Framework Integer Overflow (Zero-Day)

CVSS: 8.4 (High)
Type: Integer Overflow → Local Privilege Escalation
Component: Android Framework
Affected Versions: Android 14, 15, 16, 16-QPR2
BOD 22-01 Federal Deadline: June 5 / June 23, 2026

CVE-2025-48595 is a high-severity integer overflow vulnerability in the Android Framework that allows attackers to execute arbitrary code and escalate local privileges on affected Android devices. CISA added this vulnerability to the KEV catalog on June 2, 2026, with a remediation due date of June 23, 2026, giving federal agencies a tight three-week window to apply mitigations. While ransomware campaign ties remain unconfirmed, the active exploitation status makes this a high-priority threat for both government and enterprise environments.

Enterprises managing large Android fleets — including MDM environments, BYOD deployments, and Android-based industrial or kiosk systems — face elevated risk due to the potential for local code execution.

The full technical breakdown of this vulnerability, its exploitation mechanics, threat actor profile, and OEM fragmentation implications were covered in TheCyberThrone’s June 2026 Android Security Bulletin advisory. The KEV addition formally extends the remediation mandate beyond federal civilian agencies to any organisation treating BOD 22-01 as a baseline vulnerability management standard.

Remediation

CVE-2026-45247 (Magento/Mirasvit):

  • Update Mirasvit Full Page Cache Warmer to version 1.11.12 immediately
  • Audit web server logs for CacheWarmer cookies carrying Base64-encoded serialized PHP object patterns
  • Deploy WAF rules to inspect and block malformed CacheWarmer cookie values at the perimeter
  • Treat any unpatched public-facing Magento deployment running this extension as actively compromised until verified otherwise

CVE-2022-0492 (Linux Kernel):

  • Apply vendor-supplied kernel patches for the affected cgroups v1 release_agent vulnerability
  • Audit containerised workloads for cgroups v1 configurations — consider migrating to cgroups v2 where operationally feasible
  • Review Kubernetes and Docker runtime configurations for over-permissive namespace and cgroup settings
  • Prioritise patching for cloud VMs, container hosts, and any long-lifecycle Linux deployments where kernel versions have not been updated

CVE-2025-48595 (Android Framework):

  • Apply Android June 2026 patch level 2026-06-05 across all managed device fleets
  • Enterprises managing large Android fleets including MDM environments and BYOD deployments should prioritise remediation given the local code execution risk
  • Enforce restrictions on sideloading APKs from unknown sources across managed devices
  • Keep Google Play Protect enabled across the fleet

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organisations to reduce their exposure to cyberattacks by prioritising timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.