Your Joomla Website Is Being Attacked Right Now. And Microsoft Defender Has No Patch.
Two confirmed threats landed in the same 48-hour window this week. The first is being actively exploited against websites right now. The second has no patch, has public exploit code circulating, and Microsoft itself says exploitation is likely.
Neither requires a sophisticated attacker. Neither requires you to do something obviously foolish. They just require you to not have acted yet.
This is what the data shows, and this is what you need to do.
Story One: Your Joomla Website Can Be Taken Over With Zero Authentication
On 16 June 2026, CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalogue. That is the US government’s list of flaws confirmed to be actively used in real attacks. Inclusion is not speculative. It means exploitation is happening.
The flaw is in the Joomla Content Editor plugin, commonly known as JCE. JCE is one of the most widely installed extensions for Joomla, a content management system that powers more than one percent of all websites on the internet. It replaces Joomla’s default text editor with a richer, Office-style interface. Hundreds of thousands of sites use it.
The vulnerability is straightforward and severe. An unauthenticated attacker, meaning someone with no account on your site whatsoever, can create a new editor profile through JCE’s interface. That new profile then permits the upload and execution of PHP code. PHP code execution on a web server is, in practical terms, complete control. The attacker can read your database, extract customer data, install backdoors, redirect your visitors, or deploy ransomware.
The patch has existed since 3 June 2026. The JCE developers released a security update more than two weeks ago. CISA confirmed active exploitation on 16 June. The gap between patch availability and widespread deployment is where the damage happens, and that gap is currently being exploited.
Joomla is disproportionately common among small business and charity websites, particularly those built by freelance developers or small agencies over the past decade. If your website runs Joomla, there is a meaningful probability you have JCE installed. If you have JCE installed and have not updated since 3 June, your site is at risk from an attack that requires no credentials and produces no warning.
The Italian and US authorities both flagged this vulnerability in the same week. That is not routine.
Story Two: Microsoft Defender Has an Unpatched Zero-Day. Microsoft Says Exploitation Is Likely.
The second story is in some respects worse, because there is currently nothing to install.
A vulnerability in the Microsoft Malware Protection Engine, the core component that powers Microsoft Defender Antivirus and System Center Endpoint Protection, has been publicly disclosed. It is tracked as CVE-2026-50656 and has been given the research name RoguePlanet.
The flaw allows local privilege escalation. That means an attacker who already has limited access to a Windows machine, a standard user account, for example, can exploit this vulnerability to obtain SYSTEM-level privileges. SYSTEM is the highest level of access on a Windows machine. With SYSTEM access, an attacker can disable security tools, access all files, create new accounts, and persist through reboots.
Proof-of-concept exploit code has been publicly available for approximately a week. This is not a theoretical attack. The mechanics are documented and the code to execute them is in circulation.
Microsoft has acknowledged the vulnerability and stated that it expects exploitation to occur. The company says it is working on a patch. No timeline has been provided.
This flaw does not represent remote compromise on its own. An attacker needs some form of prior access to the machine first, whether through a phishing email, a stolen credential, or physical access. But in the context of a small business environment where staff accounts often have more permissions than they should, where phishing emails still land in inboxes, and where shared machines are common, local privilege escalation is a meaningful escalation of any existing breach.
The researcher who disclosed RoguePlanet has previously published other unpatched Windows vulnerabilities, including a flaw in BitLocker called YellowKey. The pattern is worth noting.
Why These Two Stories Land Together
Taken individually, both of these are serious. Taken together, they illustrate a specific failure mode that affects small businesses more than larger organisations.
Large enterprises typically have dedicated patch management processes, vulnerability scanning tools, and security teams who read KEV updates the morning they are published. The gap between a patch being available and it being deployed is measured in days, not weeks.
For a small business with a website managed by a part-time developer or a hosting company with a monthly maintenance contract, the gap can be months. For a business relying on Windows Defender as its primary endpoint security with no additional monitoring layer, the absence of a patch means there is currently no mitigation available from the vendor.
The Joomla flaw is a supply chain problem. Your website may have been built years ago. The developer who built it may no longer be engaged. The plugin inventory may never have been audited. The hosting company may not proactively update plugins on your behalf.
The Defender flaw is a vendor dependency problem. When you rely on a single vendor’s built-in tool as your sole security control, you are entirely dependent on that vendor’s patch cycle. When that vendor confirms a zero-day is likely to be exploited and has no patch ready, you have no lever to pull.
Both problems are solvable. Neither requires expensive products.
How This Gives You an Edge Over Competitors Who Are Not Paying Attention
Most small business owners will not hear about either of these vulnerabilities this week. Their IT provider may not have flagged them. Their hosting company has almost certainly not emailed them. The cybersecurity press covered both stories, but most small business owners do not read the cybersecurity press.
If you are reading this, you have a window.
Clients and prospects increasingly ask about security posture during procurement, particularly if they are supplying larger organisations or public sector bodies. Being able to demonstrate that you actively monitor threat intelligence, that you have a documented process for responding to critical vulnerabilities, and that your website and endpoints are kept current is a concrete differentiator.
This is not compliance theatre. It is demonstrable operational security.
Making the Business Case
If you need to justify action to a decision-maker or a board, three points will land.
The cost of inaction is documented. CISA’s Known Exploited Vulnerabilities catalogue represents confirmed, real-world attacks. A flaw on that list is not a hypothetical. It is an active campaign. Insurers, regulators, and courts do not look kindly on organisations that failed to act on publicly confirmed, actively exploited vulnerabilities.
The remediation cost is negligible. Updating a Joomla plugin costs nothing except the time to log in to your site’s backend and click update. Auditing local user accounts on Windows machines costs a few hours of IT time. Neither requires purchasing anything.
The liability exposure is real. If your website is compromised through CVE-2026-48907 and customer data is exfiltrated, the ICO will want to know whether the patch was available and whether you applied it. It was available. If you did not apply it, that is a documented failure to implement appropriate technical measures under Article 32 of UK GDPR.
What to Do Before the End of This Week
1. Check whether your website runs Joomla and whether JCE is installed. Log in to your Joomla backend. Go to Extensions, then Manage, then Installed. Search for JCE. If it is present, check the version number. The patched version was released on 3 June 2026. If you are running an older version, update it immediately. If you do not have direct access to your website backend, contact your developer or hosting provider today and request confirmation that JCE has been updated.
2. If your Joomla site cannot be immediately patched, take it offline or restrict public access until it can. This is not an overreaction. This is the appropriate response to a confirmed, actively exploited vulnerability with no available workaround other than the patch.
3. Review local user account privileges on your Windows machines. For the RoguePlanet vulnerability to escalate to SYSTEM, an attacker needs some prior foothold. Reducing the number of accounts with unnecessary local administrator rights reduces the blast radius if a machine is compromised. Standard users should not have local admin rights unless there is a specific, documented reason.
4. Do not remove Microsoft Defender while waiting for the patch. Defender with a known vulnerability is still better than no endpoint protection. The RoguePlanet flaw requires local access to exploit. Keep Defender running, apply the patch the moment Microsoft releases it, and ensure Windows Update is set to install security updates automatically.
5. Ask your hosting provider or MSP a direct question this week. Send them the CVE reference: CVE-2026-48907. Ask them to confirm that all Joomla installations they manage on your behalf have been updated to the patched JCE version. If they cannot confirm this within 24 hours, that tells you something important about the quality of their monitoring.
For more on building a practical approach to patch management without a dedicated security team, see our guide on what managed service providers should actually be doing for you and our overview of the basics of endpoint security for small businesses.
Follow the show wherever you listen. If this briefing was useful, leave a rating or a review: it genuinely helps other small business owners find this. Drop a comment with your questions or your own experience with either of these vulnerabilities. And if you know someone running a Joomla site or a small Windows-based operation, share this with them today. These two threats are active. The window to act before they land on your doorstep is this week.