The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two critical zero-day vulnerabilities in popular Joomla extensions that are under active exploitation. The agency has added the flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies and sounding a broad alarm for all website administrators.

According to a report from The Hacker News on July 13, 2026, the vulnerabilities are tracked as CVE-2026-48939 (affecting the iCagenda extension) and CVE-2026-48940 (affecting the Balbooa Forms extension). Both carry a maximum severity CVSS score of 10.0, indicating that unauthenticated attackers can remotely execute arbitrary code on a vulnerable server. Such an exploit grants near-complete control over the compromised Joomla site, paving the way for data theft, defacement, or further network intrusion.

The vulnerabilities qualify as zero-days because exploitation has been observed in the wild prior to the availability of official patches. CISA's inclusion of these CVEs in the KEV catalog now triggers a binding operational directive (BOD 22-01) for U.S. Federal Civilian Executive Branch agencies, requiring them to patch within a specified timeframe. However, the directive's urgency applies universally, as the threat landscape is not limited to government networks.

This event highlights a persistent security dilemma in the CMS ecosystem: the overall security posture of a website can be critically undermined by a single vulnerable third-party extension. A compromised calendar plugin or form builder creates a high-severity entry point that can affect thousands of sites simultaneously, independent of the core CMS platform's security.

Site administrators are advised to take the following immediate steps: 1. Audit: Determine if their Joomla installation uses either the iCagenda or Balbooa Forms extension. 2. Patch: If the extensions are present, immediately apply the vendor-released security patches, treating this as an emergency outside of regular maintenance cycles. 3. Investigate: Review server and application logs for signs of suspicious activity corresponding to the time of the reported exploitation.

While specific technical indicators of compromise are limited to mitigate misuse, administrators should monitor official advisories from CISA and the extension vendors for updates. The active exploitation of these Joomla flaws is a stark reminder that third-party plugin security is integral to overall web application integrity.


美國網絡安全和基礎設施安全局(CISA)就兩個流行Joomla擴充套件中的關鍵零日漏洞發出緊急警告,指出這些漏洞正遭到積極利用。該機構已將這些漏洞納入其「已知被利用漏洞」(KEV)目錄,強制要求聯邦機構立即補救,並對所有網站管理員發出廣泛警報。

根據《黑客新聞》2026年7月13日的報導,這些漏洞被追蹤為CVE-2026-48939(影響iCagenda擴充套件)和CVE-2026-48940(影響Balbooa Forms擴充套件)。兩者均獲得CVSS最高嚴重性評分10.0,意味著未經身份驗證的攻擊者可在受影響的伺服器上遠端執行任意代碼。此類攻擊能賦予攻擊者對被入侵Joomla網站近乎完全的控制權,為數據竊取、網頁篡改或進一步的網絡入侵鋪平道路。

這些漏洞之所以被歸類為零日漏洞,是因為在官方補丁發布之前,它們已在野外被觀測到遭利用。CISA將這些CVE納入KEV目錄,現在觸發了對美國聯邦民事行政分支機構的約束性操作指令(BOD 22-01),要求它們在指定時間內完成修補。然而,鑒於威脅形勢並不限於政府網絡,該指令的緊迫性普遍適用。

此事件突顯了內容管理系統(CMS)生態系統中一個持續存在的安全困境:單個存在漏洞的第三方擴充套件,就可能嚴重削弱網站的整體安全態勢。一個被入侵的日曆外掛或表單建構器會創造出一個高嚴重性的入口點,能同時影響數以千計的網站,與核心CMS平台本身的安全性無關。

建議網站管理員立即採取以下步驟: 1. 審計: 確認其Joomla安裝是否使用了iCagenda或Balbooa Forms擴充套件。 2. 修補: 若存在這些擴充套件,請立即應用供應商發布的安全補丁,將此視為超出常規維護週期的緊急事件。 3. 調查: 審閱伺服器及應用程式日誌,檢查是否有與報告的利用時間相吻合的可疑活動跡象。

儘管具體的入侵技術指標因防止濫用而有限,但管理員應持續關注CISA及擴充套件供應商的官方通告以獲取更新。這些Joomla漏洞遭積極利用是一個明確提醒:第三方外掛的安全性是整體Web應用程式完整性的關鍵部分。

新聞來源 / Original News Source