The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that threat actors are actively exploiting remote code execution (RCE) vulnerabilities in specific Joomla extensions. According to CISA, attackers are targeting the iCagenda and Balbooa Forms extensions to gain RCE by abusing an arbitrary file upload weakness. The reports say the exploited flaws enable malicious actors to upload files in a way that ultimately leads to execution on affected systems.
SecurityWeek similarly reports that organizations are being warned about the same Joomla extension vulnerabilities and notes that both Balbooa Forms and iCagenda are under active attack. While the coverage focuses on the exploitation status and the affected extensions, both sources align on the core technical risk: attackers use the vulnerabilities to achieve RCE via arbitrary file upload.
Taken together, the reporting indicates that this is not a theoretical risk. CISA’s advisory and SecurityWeek’s recap both emphasize that the vulnerabilities are being exploited in the wild against Joomla installations that use the affected extensions, underscoring the need for timely mitigation and patching.