CISA Flags Two Joomla Extensions Under Active Attack, Both Score Perfect 10 on Severity Scale
Attackers hit iCagenda and Balbooa as zero-days before patches were ready, and federal agencies now face mandatory remediation deadlines under Binding Operational Directive 22-01.

CISA added two Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog on Monday, confirming that criminals are already abusing both flaws in live attacks against real websites.
The two bugs sit inside iCagenda, a calendar plugin, and Balbooa, a forms and page-layout tool. Both scored 10.0 on the Common Vulnerability Scoring System, which is the highest possible rating. A CVSS 10.0 means the flaw requires no authentication, can be triggered remotely, and typically gives an attacker full control of the server. There is no ceiling left to hit.
What Joomla Site Owners Need to Understand First
Joomla is an open-source content management system used by tens of thousands of organisations worldwide, from university departments to small charities to regional news sites. It competes in the same space as WordPress. Extensions are the add-on modules that bolt extra functionality onto a base Joomla install. iCagenda handles event calendars; Balbooa builds contact forms and structured page layouts.
Here is the practical danger: even if the core Joomla software is fully patched and up to date, a critical flaw in a single installed extension exposes the entire site. Every organisation running either plugin became a potential target the moment attackers identified these bugs, which happened before patches were widely available.
Zero-Day Exploitation: What That Phrase Actually Means
Both vulnerabilities were exploited as zero-days. That means attackers discovered and weaponised the flaws before the extension developers had shipped a fix. Defenders had, quite literally, zero days to prepare.
One of the catalogued flaws carries the identifier CVE-2026-48939, assigned to the iCagenda extension. CISA has not released detailed technical write-ups of exactly how the exploits work, a deliberate choice. Publishing step-by-step attack instructions while remediation is still underway gives copycat threat actors a free playbook.
What a CVSS 10.0 score on a web plugin almost always signals is remote code execution. That means an attacker can run arbitrary commands on your server from anywhere in the world without ever logging in through your front page. From that position, they can steal customer records, install persistent backdoors, redirect visitors to malware-serving pages, or use your server as a relay for further attacks.
Who Is Legally Required to Act
Binding Operational Directive 22-01, issued by CISA, requires every U.S. federal civilian executive branch agency to remediate any vulnerability listed in the KEV catalog by its posted deadline. If no patch exists, the agency must take the affected product offline. The directive does not apply by law to state governments, private companies, or overseas organisations. But CISA formally urges all organisations, public and private, to treat KEV entries as high-priority remediation targets.
Organisations outside the United States are not off the hook on compliance risk. A compromised Joomla site holding personal data on UK or EU residents could trigger mandatory breach notification duties under the UK Information Commissioner's Office framework or under GDPR, depending on where the affected individuals are located. Fines for delayed notification are material.
The Control That Failed Here
Zero-day exploitation is often treated as an unstoppable force, as if the absence of a patch means defenders can do nothing. That framing is too narrow. Several controls could have limited the blast radius here.
First, extension hygiene. Many organisations install Joomla plugins during a project and forget them. Regular audits of installed extensions, combined with a policy of removing anything not actively used, shrink the attack surface before any vulnerability is even discovered. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector nearly tripled year over year, reinforcing that unmanaged software components are a growing liability.
Second, network segmentation and web application firewall rules. A well-configured WAF can often detect and block the anomalous HTTP request patterns that accompany remote code execution attempts, buying time even when a patch does not yet exist. That is not a substitute for patching. It is a layered defence.
Third, and critically, the human layer. Attackers who achieve remote code execution on a web server frequently pivot by sending phishing emails from that server's trusted domain. Staff at organisations whose Joomla sites are compromised may soon receive convincing internal-looking emails asking for credential resets or wire transfers. Security-awareness training that teaches employees to recognise these post-compromise social engineering patterns is a meaningful second line of defence when the perimeter has already been crossed.
What Website Owners Should Do This Week
Log in to your Joomla admin panel and check the Extensions section. If iCagenda or Balbooa appears, check the installed version against the latest release from the developer. Update immediately if a patched version is available. If no fix exists yet, disable the extension until one ships. A broken calendar widget is far less damaging than a compromised server.
Next, pull your web server access logs and search for unusual POST requests to the extension's known URL paths, any new administrator accounts you did not create, and any files uploaded to directories that should be read-only. If you find anything suspicious, rotate every credential tied to the site, including database passwords, API keys, and third-party service tokens, before you do anything else.
For end users who have submitted personal information through a Joomla-powered site in recent months, the immediate risk is a rise in targeted phishing attempts. Your email address and name may now be in a threat actor's hands. Be sceptical of any unexpected message asking you to confirm account details or make a payment, even if it appears to come from a familiar sender.
Organisations wanting a structured framework for managing vulnerability disclosure and patching timelines can benchmark against NIST SP 800-40, which provides guidance on enterprise patch management programmes. Building that process before the next zero-day arrives is far cheaper than the incident response bill that follows a breach. Find out how Train2Secure supports your team at train2secure.com/pricing.
CISA's KEV catalog is updated continuously. Subscribe to CISA alerts at cisa.gov so your security team sees new entries the same day they are published, not a week later.
How this could have been prevented
- Audit installed Joomla extensions monthly and remove anything not actively in use to reduce the attack surface before vulnerabilities are discovered.
- Pair a web application firewall with an active patch management programme so anomalous traffic is blocked even when a zero-day fix is not yet available.
- Train staff to recognise post-compromise phishing attempts, because attackers who gain server access often pivot to credential-harvesting emails sent from your own trusted domain.
Train2Secure helps teams build the human-layer defences that limit damage when technical controls are bypassed, starting with free awareness modules you can deploy today.
Start free, no card requiredSources & further reading
Frequently asked questions
What is the CISA Known Exploited Vulnerabilities catalog?
It is a continuously updated list maintained by the U.S. Cybersecurity and Infrastructure Security Agency that tracks security flaws confirmed to be actively exploited in real-world attacks. Federal civilian agencies are legally required to patch any listed vulnerability by a set deadline under Binding Operational Directive 22-01.
Do I need to act if I am not a U.S. federal agency?
Yes. CISA strongly urges all organisations, public and private, to treat KEV entries as high-priority. A CVSS 10.0 zero-day with confirmed exploitation means attackers are actively scanning for vulnerable sites regardless of who owns them. Private companies and international organisations face regulatory and reputational exposure if compromised site data triggers a breach notification obligation.
What should I do if I cannot patch the Joomla extension immediately?
Disable the affected extension until a patched version is available. Review your web application firewall rules for anomalous POST requests to the extension's URL paths, audit your server for unexpected new admin accounts or uploaded files, and rotate all credentials and API keys associated with the site.
Why is a CVSS score of 10.0 particularly alarming for a web plugin?
A 10.0 score means the vulnerability requires no authentication, can be exploited remotely, and typically enables remote code execution, giving an attacker full control of the underlying server. For a web plugin, that means any site running the extension is exposed to the open internet with no login barrier protecting it.



