Introduction
Security Arsenal is tracking a significant uptick in active exploitation attempts targeting Joomla content management systems. Threat actors are aggressively scanning for and leveraging critical security flaws in two specific third-party extensions: Balbooa Forms and iCagenda.
These vulnerabilities facilitate unauthenticated Remote Code Execution (RCE), meaning attackers can gain initial access and execute arbitrary commands on the underlying server without valid credentials. Given the prevalence of Joomla in corporate web infrastructures, this poses an immediate risk of web shell deployment, ransomware deployment, and data exfiltration. Defenders must treat this as an active incident scenario and prioritize identification and patching immediately.
Technical Analysis
Affected Products
- Platform: Joomla CMS
- Affected Extensions:
- Balbooa Forms (
com_bfjoomlaforms) - iCagenda (
com_icagenda)
- Balbooa Forms (
Vulnerability Mechanics
While specific CVE identifiers are not detailed in the current advisory, the flaws are categorized as unauthenticated RCE. This typically occurs when the application fails to properly sanitize user-supplied input passed to a deserialization function, a file inclusion routine, or an unsafe eval() call within the extension's controller logic.
Attack Chain
- Scanning: Attackers use mass-scanning tools to identify Joomla instances hosting the vulnerable extensions.
- Exploitation: A malicious HTTP POST or GET request is sent to the component's endpoint (e.g.,
/index.php?option=com_bfjoomlaforms...). This request contains serialized objects or crafted parameters that trigger the vulnerability. - Execution: The web server (PHP/Zend Engine) processes the malicious payload, executing attacker-defined system commands.
- Persistence: The primary post-exploitation activity observed is the download and execution of a PHP web shell (e.g., simple backdoors like
wso.phpor custom variants). This allows the attacker to maintain persistent interactive access to the server, effectively bypassing security controls.
Exploitation Status
CONFIRMED ACTIVE EXPLOITATION. These flaws are not theoretical; Security Arsenal telemetry indicates ongoing, automated exploitation attempts in the wild attempting to drop webshells.
Detection & Response
Sigma Rules
The following rules detect the initial exploitation attempt via web logs and the subsequent process execution of a web shell on Linux-based web servers.
---
title: Joomla Exploit Attempt - Balbooa and iCagenda
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects potential exploitation attempts against Balbooa Forms and iCagenda Joomla extensions via URI patterns.
references:
- Internal Security Arsenal Threat Intelligence
author: Security Arsenal
date: 2026/05/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
detection:
selection:
- c|contains: 'option=com_bfjoomlaforms'
- c|contains: 'option=com_icagenda'
condition: selection
falsepositives:
- Legitimate administrative access to these specific components
level: high
---
title: Web Server Spawning Shell - Joomla Exploitation
id: 9b2c3d4e-5f67-8901-2b3c-4d5e6f7890ab
status: experimental
description: Detects the web server process spawning a shell or perl/python, often indicative of successful RCE or web shell execution.
references:
- https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/php-fpm'
- '/nginx'
Image|endswith:
- '/sh'
- '/bash'
- '/perl'
- '/python'
- '/php'
condition: selection
falsepositives:
- Legitimate system administration scripts executed by the web server user
level: critical
KQL (Microsoft Sentinel / Defender)
Hunt for suspicious URI requests in your web proxy or WAF logs (ingested via Syslog or CEF) and correlate with suspicious process creation on Linux endpoints.
// Hunt for exploitation attempts in Web Logs
Syslog
| where Facility in ("nginx", "apache", "webaccess")
| extend RequestUri = extract(@"(GET|POST)\s+(.*?)\s+HTTP", 2, SyslogMessage)
| where RequestUri has "option=com_bfjoomlaforms" or RequestUri has "option=com_icagenda"
| project TimeGenerated, ComputerIP, RequestUri, SyslogMessage
| order by TimeGenerated desc
// Hunt for Web Server spawning suspicious processes (Linux)
DeviceProcessEvents
| where InitiatingProcessFileName in ("apache2", "httpd", "php-fpm", "nginx")
| where ProcessFileName in ("sh", "bash", "perl", "python3", "nc")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
Velociraptor VQL
Use this artifact to hunt for the presence of the vulnerable directories and common web shell signatures on the web root.
-- Hunt for vulnerable Joomla extensions and common web shells
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/**/components/com_bfjoomlaforms/**')
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/**/components/com_icagenda/**')
-- Hunt for common web shell file names
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/var/www/html/**/*php')
WHERE Name =~ 'shell' OR Name =~ 'wso' OR Name =~ 'r57' OR Name =~ 'c99' OR Name =~ 'ajaxplorer'
Remediation Script (Bash)
This script scans for the presence of the specific vulnerable extension directories and checks for suspicious PHP files (web shells) within the web root.
#!/bin/bash
echo "[+] Scanning for vulnerable Joomla extensions..."
# Define Web Root (adjust as necessary for your environment)
WEB_ROOT="/var/www/html"
# Check for Balbooa Forms
if [ -d "$WEB_ROOT/components/com_bfjoomlaforms" ]; then
echo "[!] ALERT: Balbooa Forms directory found at $WEB_ROOT/components/com_bfjoomlaforms"
echo " Recommendation: Update to the latest version immediately."
fi
# Check for iCagenda
if [ -d "$WEB_ROOT/components/com_icagenda" ]; then
echo "[!] ALERT: iCagenda directory found at $WEB_ROOT/components/com_icagenda"
echo " Recommendation: Update to the latest version immediately."
fi
echo "[+] Scanning for common web shell signatures..."
# Scan for common obfuscated functions in PHP files
# Look for base64_decode, eval, and assert in single line patterns typical of shells
find $WEB_ROOT -type f -name "*.php" -exec grep -l "eval\|base64_decode\|assert\|gzinflate\|str_rot13" {} \; 2>/dev/null | while read file; do
# Heuristic: Small PHP files with these functions are suspicious
SIZE=$(stat -c%s "$file")
if [ "$SIZE" -lt 50000 ]; then
echo "[!] Suspicious file found: $file (Size: $SIZE bytes)"
fi
done
echo "[+] Scan complete."
Remediation
1. Immediate Patching: Administrators must update the Balbooa Forms and iCagenda extensions to the latest available versions immediately. Check the official Joomla Extension Directory (JED) or the vendor's official website for the specific security releases addressing these RCE flaws.
2. Restrict Extension Access:
If immediate patching is not possible, restrict access to the specific component directories (/components/com_bfjoomlaforms/ and /components/com_icagenda/) via the web server configuration or a Web Application Firewall (WAF). Ideally, disable the extensions temporarily until patches can be applied.
3. Compromise Assessment: Given the active exploitation status, assume that unpatched instances may already be compromised.
- Review web server access logs for the past 30 days for POST requests to the affected components.
- Scan the web document root for newly created PHP files (web shells).
- Run integrity checks (e.g., AIDE, Tripwire) against core Joomla files.
4. Vendor Resources:
- Balbooa Extension Updates: https://www.balbooa.com/
- Joomla Security Announcements: https://www.joomla.org/announcements.html
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.