Two Maximum-Severity Joomla Zero-Days Under Active Exploitation: Attackers Target Websites With File Upload and Remote Code Execution Flaws + Video

Listen to this Post

Featured Image🎯 Introduction: A New Warning Signal for Joomla Administrators

Websites running Joomla are facing a serious security threat after two critical vulnerabilities were added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The flaws, both rated with the highest possible CVSS severity score of 10.0, allow attackers to compromise websites by uploading malicious files or executing remote commands without authentication.

The vulnerabilities affect popular Joomla extensions, including iCagenda and Balbooa Forms. Security researchers warn that attackers are already abusing these weaknesses as zero-day exploits, meaning organizations may be targeted before they have fully understood the scope of the attacks.

For website owners, the danger goes beyond simply installing updates. If attackers successfully deployed web shells or created hidden administrator accounts before patching, the affected systems may remain compromised even after security updates are applied.

🧩 Critical Joomla Vulnerabilities Added to CISA Exploited Database

CISA has officially added two Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively exploiting them in real-world attacks.

The vulnerabilities include:

⚠️ CVE-2026-48939: iCagenda Arbitrary File Upload Vulnerability

The first vulnerability impacts the Joomla extension iCagenda and allows attackers to upload arbitrary files to vulnerable websites.

Attackers can abuse this weakness to upload malicious PHP scripts, including web shells that provide persistent access to compromised servers.

Once a malicious file is uploaded, attackers may gain the ability to:

Execute unauthorized commands

Modify website content

Steal sensitive information

Create hidden backdoor accounts

Launch additional attacks against visitors

The vulnerability affects organizations that have not updated iCagenda to the secure versions:

iCagenda 4.0.8

iCagenda 3.9.15

⚠️ CVE-2026-56291: Balbooa Forms Remote Code Execution Flaw

The second vulnerability affects the Balbooa Forms Joomla extension and is considered even more dangerous because it enables unauthenticated remote code execution.

This means attackers do not need valid usernames or passwords to exploit vulnerable systems.

By exploiting the flaw, threat actors may execute malicious code directly on the server, potentially gaining complete control over the Joomla installation.

Possible consequences include:

Website takeover

Database theft

Malware deployment

Ransomware preparation

Server compromise

Unauthorized access to internal systems

The recommended fixed version is:

Balbooa Forms 2.4.1

🔥 Why These Joomla Zero-Days Create Serious Security Risks

Content management systems such as Joomla are frequently targeted because they power thousands of websites worldwide. Extensions increase functionality but also introduce additional attack surfaces.

Many organizations focus on securing the Joomla core software while overlooking third-party plugins and extensions. Attackers often exploit these weaker points because they may contain outdated code, insecure upload mechanisms, or insufficient access controls.

A single vulnerable extension can become the entry point for a larger compromise.

🕵️ Attackers Are Deploying Web Shells Through Vulnerable Extensions

Security analysts warn that attackers exploiting these vulnerabilities are not simply defacing websites. Modern attacks often involve planting persistent access tools.

A web shell is a malicious script placed on a server that allows attackers to remotely control the environment.

Common attacker activities after deploying a web shell include:

Searching configuration files for database passwords

Creating hidden user accounts

Installing additional malware

Redirecting website visitors

Using compromised servers for phishing campaigns

Organizations should assume that vulnerable systems may already have been targeted.

🛡️ Immediate Actions Joomla Administrators Must Take

Organizations using affected extensions should immediately update their software and perform a complete security review.

Recommended actions include:

Update Vulnerable Extensions

Administrators should install:

iCagenda version 4.0.8 or 3.9.15

Balbooa Forms version 2.4.1

Updating removes the known vulnerability but does not guarantee that attackers have not already gained access.

🔍 Perform a Complete Compromise Investigation

After patching, administrators should inspect their environments for signs of previous exploitation.

Security teams should check for:

Unknown PHP files

Recently modified files

Suspicious administrator accounts

Unusual database entries

Unexpected scheduled tasks

Abnormal server processes

🔐 Rotate Credentials and Review Access Logs

If exploitation is suspected, organizations should immediately reset:

Joomla administrator passwords

Hosting control panel credentials

Database passwords

FTP or SSH credentials

API keys

Historical access logs should also be reviewed to identify suspicious activity.

🧠 What Undercode Say:

Understanding the Bigger Joomla Security Problem

Joomla itself is not the only target, third-party extensions remain one of the biggest risks in modern website security.

Attackers understand that organizations often install extensions and forget about them. These forgotten components become silent entry points.

A critical vulnerability with CVSS 10.0 represents a complete security failure scenario.

The combination of arbitrary file upload and remote code execution is especially dangerous.

File upload vulnerabilities are frequently underestimated because administrators assume attackers can only upload harmless files.

However, when server-side scripts such as PHP files can be uploaded, the situation changes completely.

An attacker does not need advanced malware techniques.

They only need:

A vulnerable extension

A reachable website

A malicious payload

After gaining execution access, attackers can move from a simple website compromise to a full server breach.

Organizations should treat Joomla extensions as software dependencies that require continuous monitoring.

Security teams should maintain:

Extension inventory

Version tracking

Vulnerability monitoring

Automated integrity checking

A common mistake is believing that patching immediately removes the threat.

It does not.

If attackers already installed a backdoor, the vulnerable software may be fixed while the attacker still maintains access.

Security investigation must happen after every major vulnerability announcement.

Administrators should compare website files against trusted versions.

Unexpected PHP files in upload directories are a major warning sign.

Database changes should also be reviewed because attackers frequently create hidden administrator accounts.

Server logs remain one of the most valuable sources of evidence.

Security teams should search for:

Suspicious POST requests

Unknown IP addresses

Strange user agents

Repeated failed login attempts

Unexpected file execution

The Joomla ecosystem requires the same security discipline applied to operating systems and enterprise applications.

A website is not just a public page.

It is a server environment connected to databases, users, and potentially internal business systems.

Compromised websites can become launch platforms for larger attacks.

Threat actors may use them to distribute malware, host phishing pages, or attack other organizations.

Organizations should adopt a security-first approach:

Remove unused extensions

Enable multi-factor authentication

Limit administrator privileges

Monitor file changes

Regularly audit plugins

The lesson from these vulnerabilities is clear:

Security is not achieved by installing one update.

Security requires continuous visibility, monitoring, and response.

🔬 Deep Analysis: Joomla Security Investigation Commands

Checking Modified Joomla Files

Linux administrators can search for recently changed files:

find /var/www/html -type f -mtime -7

This helps identify suspicious files created after exploitation.

Searching for Malicious PHP Files

Attackers often hide web shells as PHP scripts:

find /var/www/html -name ".php" | grep upload

Search suspicious PHP functions:

grep -R "eval(" /var/www/html
grep -R "base64_decode" /var/www/html

Reviewing Server Access Logs

Apache logs:

tail -f /var/log/apache2/access.log

Nginx logs:

tail -f /var/log/nginx/access.log

Look for unusual POST requests:

grep "POST" /var/log/apache2/access.log

Checking Joomla Administrator Accounts

Database administrators should review Joomla users:

SELECT id, username, email FROM jos_users;

Unexpected administrator accounts may indicate compromise.

Checking Active Network Connections

Linux servers can reveal suspicious connections:

netstat -tulpn

or:

ss -tulpn

File Integrity Monitoring

Administrators can compare files:

sha256sum suspicious.php

against trusted versions.

✅ CISA has added CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities catalog.
✅ Both vulnerabilities are reported with CVSS 10.0 severity ratings and involve serious Joomla extension risks.
✅ Patching alone may not remove existing compromises, so security investigations are recommended after updates.

Prediction

(+1) Joomla administrators and security teams will likely accelerate extension auditing and vulnerability monitoring as exploitation activity increases.

More organizations will adopt automated file integrity monitoring and continuous website scanning.

Security vendors may release additional detection rules targeting web shells linked to these vulnerabilities.

Joomla extension developers will likely face increased pressure to improve secure coding practices.

Organizations that delay patching may continue experiencing website compromises.

Unmaintained Joomla extensions will remain a major attack surface for threat actors.

Attackers may expand these exploits into larger campaigns involving malware distribution and credential theft.

▶️ Related Video (72% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube