The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security vulnerabilities affecting popular Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog, confirming active zero-day exploitation in the wild.
The affected extensions — iCagenda (an event management plugin) and Balbooa Forms (a form builder) — are used across thousands of Joomla-powered websites globally. Both vulnerabilities are rated at the highest possible severity, making immediate action critical for any Joomla site running these plugins.
What Was Disclosed
CISA's KEV addition confirms that threat actors have been actively exploiting these flaws before patches were widely available or known to defenders — the definition of a zero-day. While the agency has not attributed the attacks to a specific group, the KEV listing signals that exploitation is not theoretical: real attacks are underway.
Both vulnerabilities affect the extension components themselves rather than the Joomla core. Sites running the vulnerable versions of either plugin are at risk regardless of their Joomla core version.
iCagenda Vulnerability
iCagenda is a widely used event management and calendar extension for Joomla. The vulnerability allows unauthenticated attackers to perform actions that should be restricted to authenticated administrators. The exact technical details have been withheld in some advisories to limit further exploitation, but the severity rating (maximum) indicates the potential for remote code execution or full administrative compromise.
Balbooa Forms Vulnerability
Balbooa Forms is a drag-and-drop form builder for Joomla used by businesses to create contact, registration, and data-collection forms. The flaw in this extension similarly carries a maximum severity rating. Form-builder plugins are a historically attractive target because they typically process and store user-submitted data and often run with elevated CMS privileges.
Why KEV Listings Matter
CISA's KEV catalog is not a theoretical risk register — it documents vulnerabilities with confirmed, real-world exploitation. When a flaw appears on the KEV list:
- Federal civilian agencies are mandated to patch within a set deadline
- The listing signals that the broader threat landscape is actively targeting the flaw
- Exploitation tooling or proof-of-concept code is likely in circulation
For private sector organizations, a KEV listing should be treated with the same urgency as a federal mandate.
Recommended Actions
1. Identify Exposed Sites
Audit all Joomla installations in your environment for the presence of iCagenda and Balbooa Forms:
# Check installed Joomla extensions (run from Joomla root)
find . -type d -name "com_icagenda" 2>/dev/null
find . -type d -name "mod_balbooa*" 2>/dev/null
# Or check via Joomla CLI (Joomla 4+)
php cli/joomla.php extension:list2. Apply Available Patches
Check the official extension pages and developer advisories for both iCagenda and Balbooa Forms. If patches are available, apply them immediately through the Joomla Extension Manager or via package upload.
3. Disable if Not in Active Use
If either extension is installed but not actively required, disable and uninstall it until a patch is confirmed applied:
- Navigate to Extensions > Manage > Manage in the Joomla administrator panel
- Locate the affected extension
- Select and Disable, then Uninstall if not needed
4. Deploy a Web Application Firewall
A WAF can block known exploit patterns at the network edge while patches are being applied:
- Cloudflare WAF — managed rulesets include CMS-specific protections
- Wordfence (Joomla equivalent: RSFirewall, Akeeba Admin Tools) — application-level WAF
- ModSecurity — open-source WAF with OWASP CRS
5. Monitor for Indicators of Compromise
# Check Joomla logs for unusual activity
tail -n 500 /var/log/apache2/access.log | grep -i "icagenda\|balbooa"
# Look for unauthorized admin accounts
# In Joomla DB:
# SELECT * FROM #__users WHERE usertype='Administrator' ORDER BY registerDate DESC LIMIT 10;
# Check for recently modified PHP files
find /path/to/joomla/ -name "*.php" -newer /path/to/joomla/index.php -type fBroader Context: CMS Extension Risk
This incident follows a pattern of CMS extensions being exploited as easier entry points than hardened core software. Attackers specifically target:
- Event and calendar plugins — often installed and forgotten, infrequently updated
- Form builders — process untrusted user input and frequently have file upload functionality
- E-commerce and payment extensions — high-value targets for card skimming
The Joomla ecosystem, like WordPress, has thousands of third-party extensions with varying maintenance quality. Any extension that hasn't received a security update in 12+ months should be considered a risk factor.