CISA Flags Two Maximum-Severity Joomla Zero-Days Under Active Exploitation
Two Joomla Extensions Exploited in the Wild — Patch Now
CISA has added two maximum-severity vulnerabilities in popular Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog after confirmed reports of active zero-day exploitation. The affected extensions are iCagenda (an event calendar plugin) and Balbooa Forms (a form builder). Both carry the highest possible severity rating, meaning exploitation requires no special privileges and can lead to full site compromise.
Federal agencies under CISA's mandate are required to patch within the KEV deadline, but the real urgency here extends to any organization running these extensions on a public-facing Joomla site.
Why This Matters
Zero-day KEV additions are a high-signal alert. CISA only adds vulnerabilities to the KEV catalog when there is concrete evidence of active exploitation — not just proof-of-concept code. Maximum-severity flaws in form and calendar plugins are particularly dangerous because these extensions are often installed on high-traffic public sites, frequently lag on updates, and handle user-submitted input that attackers can weaponize for remote code execution or data exfiltration.
Joomla extensions have historically been a soft underbelly for CMS-based attacks. If your Joomla instance runs either of these plugins and it hasn't been updated in the last 48 hours, assume you are a target.
What to Do
- Audit immediately. Check all Joomla installations for iCagenda and Balbooa Forms. Even staging or dev environments accessible from the internet are at risk.
- Update both extensions to the latest patched versions from the official Joomla Extension Directory. Do not wait for your next maintenance window.
- Review server logs for anomalous POST requests to endpoints associated with these plugins — exploitation attempts may already be in your logs.
- Disable the extensions if patches are not yet available or if you cannot update immediately. A broken calendar or form is far less damaging than a compromised server.
- Apply WAF rules if you run a web application firewall. ModSecurity and Cloudflare WAF users should enable or tighten CMS-specific rulesets while patches are applied.
- Check CISA's KEV catalog directly for updated patch deadlines and any additional technical indicators as the advisory matures.
If you manage Joomla sites for clients, treat this as an emergency change — not a scheduled update.
Synthesized by Claude · sanity-checked before publish.