CISA Warns of Joomla Sites Running iCagenda or Balbooa Exploited in Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

The Cybersecurity and Infrastructure Security Agency (CISA) has added two high-risk Joomla extension flaws to its Known Exploited Vulnerabilities (KEV) Catalog.

Both vulnerabilities allow unrestricted file uploads, a weakness that attackers can abuse to upload malicious files and potentially take control of vulnerable websites.

The affected products are iCagenda and Balbooa Forms, two extensions used by Joomla website administrators for event management and web forms.

CISA said there is evidence that attackers are actively exploiting both security issues in real-world attacks.

The first flaw, tracked as CVE-2026-48939, affects iCagenda. It is classified as an unrestricted file upload with a dangerous type vulnerability.

The issue may allow an unauthenticated or low-privileged attacker, depending on the affected configuration, to upload files that the web server could execute.

The second vulnerability, CVE-2026-56291, affects Balbooa Forms. Like the iCagenda flaw, it involves unrestricted upload of dangerous file types.

Joomla Sites iCagenda & Balbooa Exploited

Exploitation could enable attackers to place web shells or other malicious scripts on a Joomla server. A web shell is a script that provides remote access to a compromised server.

Once installed, it can allow an attacker to run commands, steal site data, create new administrator accounts, modify content, distribute malware, or use the server as infrastructure for other attacks.

CISA warned that file-upload vulnerabilities remain a common entry point for malicious cyber actors.

Joomla sites exposed to the internet may face particular risk because attackers can scan widely for vulnerable extensions and automate exploitation attempts.

Federal Civilian Executive Branch agencies must address the vulnerabilities under Binding Operational Directive -26-04.

CISA requires agencies to prioritize patching KEV-listed vulnerabilities, especially those affecting internet-facing systems that could allow complete system compromise if exploited.

Although the directive applies specifically to federal agencies, CISA strongly recommends that private-sector organizations, educational institutions, and Joomla site administrators follow the same risk-based approach.

Administrators should immediately determine whether their Joomla environments use iCagenda or Balbooa Forms. Organizations should apply vendor-provided security updates or mitigation guidance where available.

If patches cannot be installed immediately, administrators should turn off the vulnerable component, restrict upload functionality, and limit public access to affected systems. Security teams should also investigate for signs of compromise before and after remediation.

Useful indicators may include unfamiliar files in web-accessible directories, unexpected PHP or other script files, suspicious administrator accounts, altered Joomla templates, unusual outbound network traffic, and anomalous web server logs.

Because exploitation has already been observed, simply applying an update may not remove an attacker who previously gained access.

Organizations should review logs, scan for web shells, rotate administrative credentials, and restore affected systems from known-clean backups when compromise is confirmed.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.