Skip to main content
Two Joomla Extensions Under Active AttackIncident
4 min readFor Security Engineers

Two Joomla Extensions Under Active Attack

CISA issued Emergency Directive 25-01 on January 15, 2025, ordering federal agencies to patch or mitigate two remote code execution vulnerabilities in Joomla extensions within 72 hours. The flaws in iCagenda (CVE-2026-48939) and Balbooa Forms (CVE-2026-56291) were already being exploited when the directive went out.

If you're running Joomla in production, this isn't a drill.

What Happened

Attackers discovered and exploited two separate RCE vulnerabilities in popular Joomla extensions before patches became available. The iCagenda flaw allows arbitrary file uploads that lead to remote code execution. The Balbooa Forms vulnerability was exploited as a zero-day, meaning attacks occurred before the vendor released a fix.

CISA categorized both as maximum priority, which triggers its Known Exploited Vulnerabilities (KEV) catalog requirements. Federal agencies had three days to patch. You should move faster.

Timeline

The exact discovery timeline isn't public, but here's what we know:

  • Before patch release: Attackers exploited CVE-2026-56291 (Balbooa Forms) as a zero-day.
  • January 15, 2025: CISA added both CVEs to the KEV catalog and issued Emergency Directive 25-01.
  • January 18, 2025: Federal agencies' deadline to patch or remove affected extensions.

The gap between exploitation and public disclosure shows how attackers operate: they're scanning for these extensions before you've finished reading the advisory.

Which Controls Failed

Let's be specific about what broke down:

Vulnerability scanning didn't catch it early enough. If you're running quarterly scans, you're operating on a 90-day window where attackers have free rein. Both vulnerabilities existed in production systems before patches were available.

Extension vetting process was missing or inadequate. Someone installed third-party Joomla extensions without verifying the vendor's security posture, update cadence, or support status. iCagenda and Balbooa Forms aren't obscure plugins; they're widely deployed.

Patch management couldn't keep pace. Three days is CISA's timeline for federal agencies with dedicated security teams. If your patch cycle runs monthly, you're giving attackers 27 extra days.

Asset inventory was incomplete. The first question after CISA's directive: "Do we have Joomla running anywhere?" If you can't answer that in under an hour, your asset management has failed.

What Standards Require

CISA's KEV catalog isn't just guidance for federal agencies. It's referenced in multiple frameworks your auditors care about:

NIST 800-53 Rev 5 Requirement SI-2 (Flaw Remediation) states: "Remediate flaws within time periods defined by the organization based on risk assessment." CISA's KEV additions effectively define that time period for you. If a vulnerability is under active exploitation, your "risk assessment" should conclude: patch immediately.

PCI DSS v4.0.1 Requirement 6.3.1 demands security vulnerabilities be identified and addressed based on risk ranking. Remote code execution in a web-facing application is maximum risk. You can't defer it to next quarter's maintenance window.

ISO/IEC 27001:2022 Control 8.8 (Management of technical vulnerabilities) requires organizations to obtain timely information about technical vulnerabilities and evaluate exposure. The KEV catalog is that timely information. Waiting 30 days to patch a KEV-listed RCE fails this control.

SOC 2 Type II Common Criteria CC7.1 covers detecting security incidents and vulnerabilities. If you're not monitoring CISA's KEV catalog and responding within days, your auditor will ask why not.

Lessons and Action Items

Here's what you need to change:

Monitor the KEV catalog daily. Add it to your morning routine. CISA updates it when attackers are already exploiting vulnerabilities. Subscribe to the RSS feed or set up automated alerts. If you wait for your quarterly vulnerability scan to catch KEV additions, you're too late.

Inventory every CMS instance and extension. Right now. Not just Joomla. WordPress, Drupal, and every other platform running in your environment. Document the extensions, their versions, and who owns each site. If you can't produce this list in two hours, you can't respond to the next CISA directive.

Implement emergency patch windows. Your standard monthly patch cycle doesn't work for active exploitation. Define a 48-hour emergency process: who approves it, who deploys it, what testing you'll skip (yes, skip). RCE vulnerabilities under active attack don't wait for your change control board meeting.

Vet third-party extensions before installation. Check the vendor's security disclosure process, last update date, and community activity. If a Joomla extension hasn't been updated in 18 months, don't install it. If the vendor doesn't have a security contact listed, don't install it.

Test your rollback procedures. Emergency patches sometimes break things. You need a tested rollback plan that takes under 15 minutes. If your last production rollback was two years ago, you don't actually have a rollback plan.

Run authenticated scans weekly. Unauthenticated scans won't catch CMS extension versions. Your scanner needs admin-level access to enumerate installed plugins and their versions. Weekly scans give you a seven-day maximum exposure window instead of 90.

Automate extension updates where possible. Joomla supports automatic updates for core and extensions. Yes, you'll need testing for critical sites. But for low-risk marketing sites? Auto-update overnight and check logs in the morning.

The next CISA directive is coming. The only question is whether you'll spend three days scrambling to find affected systems or three hours deploying patches to a known inventory.

Topics:Incident

You Might Also Like