DEV Community

NetSecOpsIO
NetSecOpsIO

Posted on • Originally published at cyber.netsecops.io

Joomla Zero-Days CVE-2026-48939 & CVE-2026-56291 Exploited

Originally published on CyberNetSec.

Executive Summary

On July 10, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical zero-day vulnerabilities affecting Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities, CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in Balbooa Forms, are unauthenticated arbitrary file upload flaws that lead to remote code execution (RCE). Both have been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. Reports confirm active, automated exploitation in the wild, with attackers uploading web shells to gain full control of vulnerable servers. Patches are available and immediate remediation is critical for all users of these popular Joomla components.


Vulnerability Details

Both vulnerabilities stem from a failure to properly validate and restrict file uploads from unauthenticated users, creating a critical attack vector on publicly accessible web forms.

  • CVE-2026-48939 (iCagenda): This vulnerability exists in the "Submit an Event" form of the iCagenda extension. The form allows any anonymous visitor to upload a file without authentication or proper file type validation. Attackers can upload a malicious PHP script disguised as a legitimate file (e.g., an image), which can then be executed on the server, granting them RCE capabilities.

  • CVE-2026-56291 (Balbooa Forms): This flaw affects Balbooa Forms versions up to and including 2.4.0. The frontend attachment upload feature accepts files from any visitor without checking for authentication or file extension. This allows an attacker to upload a PHP web shell to a publicly accessible directory. Once uploaded, the attacker can navigate to the shell's URL to execute arbitrary commands on the server.

Affected Systems

  • iCagenda: All versions containing the vulnerable "Submit an Event" form. A specific patched version has not been detailed in reports, but users should update to the latest available version immediately.
  • Balbooa Forms: Versions up to and including 2.4.0. The vulnerability is patched in version 2.4.1, released on July 9, 2026.

These extensions are used on websites built with the Joomla Content Management System (CMS).

Exploitation Status

Both vulnerabilities are under active and widespread exploitation. According to mySites.guru, automated attacks exploiting CVE-2026-48939 began as early as June 15, 2026. The inclusion of both CVEs in CISA's KEV catalog confirms evidence of active exploitation. The Australian Cyber Security Centre (ACSC) has also issued warnings about malicious actors actively scanning for these weaknesses to deploy web shells. Due to the ease of exploitation and high potential impact, the number of compromised websites is expected to grow rapidly.

Impact Assessment

Successful exploitation of either vulnerability results in a full compromise of the web server. An attacker can achieve remote code execution with the permissions of the web server process (e.g., www-data). This allows the threat actor to:

  • Steal sensitive data from the website's database, including user credentials, personal information, and payment details.
  • Deface the website or replace its content.
  • Use the compromised server as a pivot point to attack other systems within the internal network.
  • Host malware, phishing pages, or use the server as part of a botnet for DDoS attacks.
  • Establish persistent access by creating new administrator accounts or installing backdoors.

The business impact can be severe, leading to data breach notification costs, regulatory fines, reputational damage, and significant downtime for cleanup and recovery.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity:

Type Value Description Context
url_pattern /index.php?option=com_icagenda Potential requests to the vulnerable iCagenda component. Web server logs, WAF logs
url_pattern task=icform Parameter associated with iCagenda form submissions. Web server logs, WAF logs
file_name *.php Look for PHP files in Joomla's public upload directories (e.g., /images, /tmp). File system monitoring, EDR
log_source access.log, error.log Monitor web server logs for unusual POST requests to form endpoints followed by GET requests to newly uploaded PHP files. SIEM, Log analysis tools
process_name php, php-fpm Monitor for child processes spawned by the web server process that are executing suspicious commands (e.g., whoami, ls, wget). EDR, Host-based IDS

Detection & Response

Security teams should focus on detecting both exploitation attempts and signs of a successful compromise.

  1. Network Traffic Analysis: Use a Web Application Firewall (WAF) to inspect incoming POST requests. Create rules to block or alert on file uploads containing PHP code or suspicious extensions (e.g., .php, .phtml, .php5) to the iCagenda or Balbooa Forms endpoints. This aligns with D3-NTA: Network Traffic Analysis.
  2. File Integrity Monitoring (FIM): Implement FIM on web server directories, particularly upload folders. An alert on the creation of any executable file type (e.g., .php, .sh) in a directory meant for images or documents is a high-confidence indicator of compromise. This relates to D3-FA: File Analysis.
  3. Log Analysis: Proactively search web server logs for patterns of exploitation. Look for a POST request that uploads a file, immediately followed by a GET request to that same file, often resulting in a 200 OK status. Correlate this with logs from EDR/endpoint agents showing the web server process (apache2, nginx, w3wp.exe) spawning shell commands.

Response: If a compromise is suspected, immediately isolate the server from the network. Take a forensic snapshot for investigation. Remove the web shell and any other malicious files. Restore from a known-good backup created before the compromise date. After restoring, apply the patches and conduct a thorough audit for any backdoors, such as new admin accounts or scheduled tasks.

Mitigation

  • Immediate Patching: This is the most critical step. Update Balbooa Forms to version 2.4.1 or later. Update iCagenda to the latest available version. This aligns with D3-SU: Software Update.
  • Disable Vulnerable Features: If patching is not immediately possible, disable the public-facing file upload functionality on both extensions. For iCagenda, disable the "Submit an Event" form for anonymous users. For Balbooa Forms, disable any forms that allow unauthenticated file attachments.
  • Harden Web Server Configuration: Configure the web server to prevent the execution of scripts in upload directories. For example, in Apache, you can use an .htaccess file with php_flag engine off to disable PHP execution.
  • Web Application Firewall (WAF): Deploy a WAF with rulesets that specifically block attempts to upload executable file types and detect common web shell patterns. This is a key compensating control.
  • Principle of Least Privilege: Ensure the web server process runs with the minimum necessary permissions. It should not have write access to directories outside of its designated temporary and upload folders.

Top comments (0)