Your Joomla Website Is Being Actively Exploited Right Now. What Are You Doing About It?

Threats & Attacks

Your Joomla Website Is Being Actively Exploited Right Now. What Are You Doing About It?

This week’s intelligence picture has a clear lead story. CISA confirmed active exploitation of two Joomla extensions: iCagenda and Balbooa Forms. Both vulnerabilities allow unauthenticated attackers to upload PHP files and execute arbitrary code on the web server. No login. No credentials. No warning.

This is not a theoretical attack path. CISA added these to its Known Exploited Vulnerabilities catalogue. That designation has a specific meaning: exploitation has been observed in the wild, not just in a research lab.

The second story worth tracking: a new ransomware strain designated JADEPUFFER, which uses AI agents to automate the extortion process. It is early-stage intelligence with moderate confidence, but the pattern it represents matters for how we think about the threat landscape going forward.

Let us take these in order.

What Is Happening With Joomla Right Now

Joomla is a content management system used by more than one percent of all websites on the internet. That sounds like a rounding error. It is not. One percent of the internet is millions of sites, and automated scanners do not discriminate by size or geography.

The two extensions under active attack are iCagenda, an events calendar component, and Balbooa Forms, a form builder. Both are the kind of functional, unremarkable plugins that sit quietly in a Joomla installation for years. The kind nobody checks because they have always worked fine.

The iCagenda flaw (CVE-2026-48939) and the Balbooa Forms flaw (CVE-2026-56291) both allow unauthenticated PHP code execution. An attacker sends a crafted request to your site. They do not need an account. They do not need to know your admin password. If the vulnerable extension is installed and unpatched, they can run code with the privileges of your web server.

CISA added both to its KEV catalogue this week. Australia’s cybersecurity agency flagged the same campaign last week, naming CMS platforms including Joomla as active targets.

The attack surface here is not abstract. If your business has a website built on Joomla and you or your web agency have not reviewed installed extensions in the last 30 days, you have an unquantified exposure.

Why This Matters More Than the Patch Notes Suggest

The framing around CMS vulnerabilities tends toward the technical. CVE numbers, CVSS scores, patch versions. That framing obscures the business consequence.

When an attacker achieves unauthenticated code execution on your web server, they do not just deface your homepage. They gain a foothold. From that foothold, they can exfiltrate customer data stored in your CMS database, install persistent backdoors, pivot to internal systems if your web server has network access to them, use your server as infrastructure for attacking others, or encrypt your files and demand payment.

For a small business, a compromised website is not an inconvenience. It is a potential GDPR notifiable breach, a reputational incident, and depending on what your CMS connects to, it may be the entry point for something considerably worse.

The GDPR angle is worth being explicit about. If your Joomla site collects customer data, form submissions, email addresses, or payment information and it has been compromised through one of these vulnerabilities, you have a 72-hour notification obligation to the ICO. That clock starts from when you become aware of the breach, not when the breach occurred.

JADEPUFFER: What the Intelligence Actually Says

The JADEPUFFER reporting comes from a threat intelligence blog and carries a moderate confidence rating. It is worth discussing because of what it represents, not because the threat is confirmed at scale.

The claim is that JADEPUFFER uses AI agents to automate elements of the ransomware extortion process: reconnaissance, target selection, and potentially the extortion communication itself. The two CVEs cited in that reporting (CVE-2025-3248 and CVE-2021-29441) relate to existing exploitation paths rather than new vulnerabilities.

The honest assessment: this is an emerging, unattributed threat with moderate confidence. It should not drive panic or procurement decisions.

What it does illustrate is a directional shift. Ransomware operations are moving toward automation. The manual effort required to identify, compromise, and extort a target is decreasing. That means the economics of attacking small businesses, historically considered too much work for too little return, are changing.

A 10-person solicitors practice in Leeds is not an interesting target for a sophisticated nation-state actor. It may become an interesting target for an automated system that can process thousands of small businesses simultaneously and extract modest sums from each without human intervention.

Keep watching this. Do not act on it yet beyond the basics. The basics matter more than the emerging threat anyway.

How to Turn This Into a Competitive Advantage

If your business has a website and you can demonstrate that you actively monitor it for known exploited vulnerabilities, that is a verifiable, evidence-based security posture.

For businesses that hold client data, particularly in professional services, this is increasingly a procurement question. Clients and procurement teams ask about security practices. Being able to say your web infrastructure is maintained against the CISA KEV catalogue, rather than patched whenever someone remembers to log in, is a concrete differentiator.

It also directly strengthens your Cyber Essentials posture. Patch management against known exploited vulnerabilities is exactly what CE+ assesses. Documented evidence that you tracked and responded to a KEV entry within the required timeframe is exactly the kind of control evidence auditors want to see.

How to Sell This to Your Board

Three arguments that land:

The legal exposure is real. If your website collects customer data and it has been compromised through an unpatched vulnerability, GDPR notification obligations apply. The ICO’s track record on fining organisations that failed to apply known patches is not encouraging. This is a liability, not just a technical issue.

The reputational cost exceeds the patch cost. Checking your Joomla extensions takes 20 minutes. Explaining to clients why their data was exposed because nobody updated a calendar plugin takes considerably longer and costs considerably more.

The threat is automated and indiscriminate. Attackers are not choosing your business. Scanners are. Your size provides no protection against an automated campaign that is probing every Joomla installation it can find. The relevant question is not whether you are a target. It is whether you are a soft one.

What This Means for Your Business

1. Check your Joomla installation today. Log into your admin panel. Go to Extensions. Look for iCagenda and Balbooa Forms. If either is installed, update to the patched versions immediately. If you do not use them, remove them entirely. Unused extensions are an attack surface with no corresponding benefit.

2. Review your hosting logs. Ask your hosting provider or web agency for server access logs from the past 30 days. Look for unusual POST requests to extension endpoints, unexpected PHP file creation, or access from unusual geographic locations. If you see something anomalous and you do not know what caused it, treat it as a potential indicator of compromise until proven otherwise.

3. Contact your web agency or MSP directly. Do not wait for them to tell you. Ask specifically: are our Joomla extensions patched against CVE-2026-48939 and CVE-2026-56291? Ask when they last audited installed extensions. If they cannot answer, that tells you something important about how your site is being managed.

4. Understand your GDPR obligations before you need them. If a compromise has occurred and customer data was accessible, your obligation to notify the ICO begins when you become aware of it. Brief your data protection lead or the person responsible for GDPR in your organisation now. The 72-hour window is shorter than it sounds when you are also trying to contain an incident.

5. Subscribe to the NCSC’s early warning service. It is free. It provides threat intelligence directly relevant to UK organisations, including alerts on active exploitation campaigns. It is not a substitute for patching, but it means you are less likely to be the last to know about the next campaign. Sign up at ncsc.gov.uk.

Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share it with someone who would find it useful. If you run a small business and you know someone else who does, they need to hear this one.

SourceArticle
CISACISA Adds Two Known Exploited Vulnerabilities to Catalog
The Hacker NewsiCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
The Cyber ExpressCISA Warns of Actively Exploited Joomla Zero-Day Vulnerabilities
Krypt3iaThreat Intelligence Report: JADEPUFFER Agentic Ransomware and Automated Extortion
The Hacker NewsWeekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More
NCSCEarly Warning Service
ICOPersonal data breaches (GDPR guidance)

Filed under

  • smb-security
  • uk-business
  • vendor-risk
  • supply-chain-risk
  • incident-response
  • compliance-failure
  • business-risk