Mirasvit CVE-2026-45247 Enters CISA KEV as PAN-OS and TA4922 Pressure Builds
Finding 1: Mirasvit Full Page Cache Warmer CVE-2026-45247 enters CISA KEV
Confidence: High
CISA's Known Exploited Vulnerabilities catalogue lists CVE-2026-45247 in Mirasvit Full Page Cache Warmer. Today's intelligence treats this as the lead because the exploitation signal is government-confirmed, not merely feed-level reporting.
The practical question is exposure. Teams running Magento or related e-commerce estates should confirm whether the Mirasvit Full Page Cache Warmer extension is present, check patch or removal options, and review logs for suspicious activity where the extension is deployed.
Action: Make this a P0 applicability check for Magento and e-commerce owners. If the extension is present, move from asset confirmation to remediation and exploitation review the same day.
Source: CISA Known Exploited Vulnerabilities catalogue, CVE-2026-45247.
Finding 2: PAN-OS GlobalProtect CVE-2026-0257 is CISA KEV-listed and back in incident-routing scope
Confidence: High
PAN-OS GlobalProtect CVE-2026-0257 is a Palo Alto Networks authentication bypass listed in CISA's Known Exploited Vulnerabilities catalogue since 29 May 2026, so exploitation is government-confirmed rather than feed-level. Today's intelligence records it as an update with active-exploitation materiality, and The Register reports that exposed Palo Alto VPN environments have moved from advisory tracking into active-exploitation concern.
This should not be treated as generic perimeter patching. Exposed GlobalProtect gateways deserve a separate owner check, with patch or mitigation state tied to incident-response visibility. If a gateway remains exposed and unpatched, the question is no longer only “when is the maintenance window?” It is also “what evidence would show compromise?”
Action: Re-check exposed GlobalProtect gateways, confirm patch or mitigation status, and route unpatched exposure into incident-response review.
Sources: CISA Known Exploited Vulnerabilities catalogue, CVE-2026-0257 (added 29 May 2026); The Register, PAN-OS GlobalProtect active-exploitation reporting.
Finding 3: TA4922 Atlas RAT targeting reaches Britain and Germany
Confidence: Medium
Proofpoint reports that TA4922, a suspected Chinese-speaking cybercrime group, has expanded activity into Europe, including the United Kingdom and Germany. The reporting names Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, with lures using business, HR, tax, payroll, and invoice themes.
The most useful action is hunting, not general awareness. Today's intelligence includes hashes and infrastructure from the reporting, including a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295, 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8, 206.238.115.58, 154.211.86.110, 43.156.77.97, and 103.214.172.33.
Action: Hunt those indicators across mail, EDR, proxy, DNS, and firewall telemetry. Pay particular attention to GoFile ZIP lures, DLL sideloading, HR-themed emails, and Germany or UK tax-themed social engineering.
Sources: Proofpoint TA4922 research and BleepingComputer European Atlas RAT reporting.
Finding 4: BSI advisories create a QEMU, automation, security-ops, CMS, and delivery-tool queue
Confidence: Low/Unverified
BSI published or surfaced multiple advisories relevant to QEMU/qemu-kvm, Red Hat Ansible Automation Platform, MISP, Progress Sitefinity, Go, Devolutions Server, Froxlor, and Octopus Deploy. The QEMU items include CVE-2026-3195, CVE-2026-3196, CVE-2025-14876, CVE-2026-2243, and CVE-2026-3842.
The risk is not that every item deserves the same urgency. The risk is that virtualisation, automation, threat-intelligence, CMS, privileged-access, hosting-control-panel, and CI/CD owners all assume someone else has the ticket. This is a routing problem first.
Action: Build a same-day owner table. Send QEMU to virtualisation and appliance owners, Ansible to automation owners, MISP to security operations, Sitefinity and Froxlor to web teams, Devolutions to privileged-access owners, and Octopus Deploy to CI/CD owners.
Sources: BSI WID-SEC advisories WID-SEC-2026-0566, WID-SEC-2025-2884, WID-SEC-2026-0464, WID-SEC-2026-1083, WID-SEC-2025-2432, WID-SEC-2026-1778, WID-SEC-2026-1783, WID-SEC-2026-1776, WID-SEC-2026-1781, WID-SEC-2026-1782, and WID-SEC-2026-1784.
Finding 5: Developer and research-platform dependencies need SBOM matching before escalation
Confidence: Low/Unverified
GitHub Advisories list clusters affecting Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go. The most sensitive paths are notebook gateways, Kubernetes-backed research platforms, document and archive parsing, CI runners, public React Router apps, Python services, and Go HTTP/3 endpoints.
This is too broad for manual ticket guessing. The better route is SBOM or dependency matching against production services, CI runners, developer workstations, research platforms, and container images. Escalate only where a vulnerable package is present in a relevant execution path.
Action: Ask platform, application, and developer-experience owners to run dependency matching for the named packages. Prioritise browserstack-runner, Jupyter Enterprise Gateway, and Docling where untrusted input or CI execution is involved.
Sources: GitHub Advisories for Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go.
Finding 6: Acer Wave 7 and Gemini notification hijack remain low-confidence but actionable hygiene items
Confidence: Low/Unverified
Acer Wave 7 router zero-day reporting is included as a new item, but the evidence remains incomplete pending fuller vendor and CVE detail. Treat it as an exposure-management item: know whether Wave 7 routers exist, reduce external exposure, and track firmware availability.
The Gemini notification hijack path is also included as a low-confidence hygiene item. The Hacker News reports that Google patched the issue server-side. The residual control question is whether Android fleets grant broad notification access or connected-app permissions to AI assistant workflows without a clear business reason.
Action: Inventory Acer Wave 7 routers and restrict exposure where possible. Review Gemini notification access and Android connected-app permissions, especially on managed devices used by privileged or sensitive users.
Sources: BleepingComputer Acer Wave 7 reporting and The Hacker News Gemini notification hijack reporting.
- Updates to ongoing stories
- Confidence: Low/Unverified
- WinRAR CVE-2025-8088 (CISA KEV): This path-traversal flaw is a known-exploited vulnerability, listed in CISA's Known Exploited Vulnerabilities catalogue since 12 August 2025. Today's update is attribution, not a new vulnerability: The Hacker News reports Gamaredon-linked use against Ukraine. Keep WinRAR remediation and archive-lure detection active for Ukraine-facing, government-adjacent, and Europe-facing teams.
- Android CVE-2025-48595 (CISA KEV): This Android Framework integer-overflow flaw entered CISA's Known Exploited Vulnerabilities catalogue on 2 June 2026 and is known-exploited. Yesterday's bundle already covered managed Android patch compliance, so it is not a fresh lead today, but keep patch tracking open and prioritise managed fleets given the confirmed exploitation.
- Kirki CVE-2026-8206 and WP Maps Pro: WordPress administrator-account abuse remains important. Continue plugin checks and administrator-account review, but today's brief treats those stories as repeated against recent publication state.
- VS Code token theft: Exploit-code reporting remains watchlist-only pending stronger advisory or patch anchoring. Developer teams should still tighten GitHub token hygiene and review unusual authentication activity.
Why This Matters
Today's brief is a triage exercise. Four items carry a government-confirmed exploitation signal through CISA KEV: Mirasvit CVE-2026-45247, PAN-OS CVE-2026-0257, WinRAR CVE-2025-8088, and Android CVE-2025-48595. Mirasvit is the lead because it is the newest KEV addition; the others are already-tracked exploited items. Several non-KEV findings need fast owner confirmation because they sit on exposed gateways, developer tooling, e-commerce sites, or security operations systems.
The right response is not to panic-patch everything. It is to rank by confidence, exposure, and owner. Start with Mirasvit CVE-2026-45247, re-check PAN-OS GlobalProtect, hunt TA4922 indicators, and then route the lower-confidence BSI, Ubuntu, MSRC, and GHSA items to the right technical teams.
- Recommended Actions
- P0: Check Mirasvit Full Page Cache Warmer CVE-2026-45247 exposure in Magento and e-commerce estates, then remediate and review logs where present.
- P1: Confirm PAN-OS GlobalProtect CVE-2026-0257 (CISA KEV) patch or mitigation status for exposed gateways.
- P1: Hunt TA4922 Atlas RAT indicators across mail, EDR, proxy, DNS, and firewall telemetry.
- P1: Route the BSI advisory queue to named virtualisation, automation, security-ops, CMS, privileged-access, hosting, and CI/CD owners.
- P2: Run SBOM and dependency matching for Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go.
- P2: Track Acer Wave 7 firmware detail and review Gemini notification and connected-app permissions on Android fleets.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 04 June 2026.