Joomla Admins: Patch Immediately - iCagenda & Balbooa Zero-Days in KEV
Just saw the update from CISA adding two Joomla extensions to the Known Exploited Vulnerabilities (KEV) catalog. If you manage Joomla instances, specifically using iCagenda or Balbooa Forms, stop what you're doing and patch.
Both flaws are rated CVSS 10.0, which means the bar for exploitation is non-existent.
The Vulnerabilities
- CVE-2026-48939 (iCagenda): An unauthenticated remote code execution vulnerability. The report indicates attackers are actively abusing this to drop web shells.
- Balbooa Forms: A separate flaw (likely file upload or auth bypass) also being leveraged in the wild.
Since these are zero-days in the KEV, we have to assume active scanning is underway.
Hunting
Check your access logs for POST requests to these components. You can use this snippet to grep your Apache/Nginx logs for suspicious activity:
grep -E "(com_icagenda|com_balbooaforms)" /var/log/apache2/access.log | grep POST
If you find hits, verify the file system integrity immediately. Look for recently created PHP files in the extension directories:
find /path/to/joomla/components -name "*.php" -mtime -1
Is anyone else seeing an uptick in automated scanning against these specific components today, or is it just isolated to a few campaigns?
We've started blocking traffic at the WAF level for anyone not accessing the admin panel. Just a quick temporary rule while we patch the legacy sites.
For those running ModSecurity, this rule seems to catch the initial payload:
apache SecRule REQUEST_URI "@contains com_icagenda" "id:1001,deny,status:403,msg:'iCagenda exploit attempt'"
Better safe than sorry given the CVSS score.
The headache with Joomla is always the dependency hell. You patch the core, but extension devs are slow to update. I just checked a client's server and saw this in the error logs right before the shell landed:
[07-Jul-2026 14:22:11 UTC] PHP Warning: file_get_contents(): Filename cannot be empty in /components/com_icagenda/controller.php on line 120
If you see that, you're likely already compromised. Check for `eval(base64` strings in your index.php.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access