CISA flags active attacks on two Joomla add-ons that let hackers take over websites

Old flaws in the iCagenda and Balbooa Forms extensions are being used to plant malicious files on Joomla sites, and the U.S. cyber agency has given federal bodies three weeks to patch.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial shot of a dimly lit server rack with a single glowing amber warning light, faint reflections of code on the metal, shallow depth of field, c
Share

Key points

  • The U.S. Cybersecurity and Infrastructure Security Agency added two Joomla extension flaws to its Known Exploited Vulnerabilities list in November 2025.
  • The bugs are CVE-2023-23752 style file-upload holes in the iCagenda events extension and the Balbooa Forms extension for Joomla.
  • Attackers are using the flaws to upload booby-trapped files and run their own commands on the web server.
  • U.S. federal civilian agencies have roughly three weeks to patch or stop using the affected extensions.
  • Joomla powers an estimated 1.7% of all websites, so the pool of exposed sites is large.

CISA, the U.S. government's cyber defence agency, has told federal bodies to urgently fix two flaws in add-ons for Joomla, a popular free tool used to build and run websites. Attackers are already using both holes in the wild, according to the agency's Known Exploited Vulnerabilities catalogue.

The two vulnerable add-ons are iCagenda, an events calendar, and Balbooa Forms, a form builder. Both are extensions, meaning extra features that site owners bolt onto a stock Joomla install to do things the base software doesn't.

The flaws are what security people call arbitrary file upload bugs. In plain English: the extensions accept files from strangers without properly checking what those files actually are. A visitor can send up a small program disguised as, say, an image, and the server will happily save it and run it later.

Once that happens, the attacker has what's known as remote code execution, meaning they can run their own commands on the machine hosting the website. From there they can steal customer data, deface the site, drop a cryptocurrency miner, or use the box as a springboard to attack other systems.

The active exploitation was first reported by BleepingComputer. Neither Joomla itself nor the extension authors have made a fuss about it, which is normal for extension bugs. In practice, small add-on maintainers rarely have a PR team.

Should ordinary website visitors worry?

Probably not directly, but the sites you use might. Joomla runs about 1.7% of the web, which sounds small until you remember that adds up to millions of sites. Local councils, small charities, event pages, gyms, and independent shops love it because it's free and easy.

If one of those sites gets taken over through iCagenda or Balbooa Forms, the practical risk to you is limited to two things. Data you typed into a form on that site (name, email, phone) could be scraped. And the site could quietly serve you a malicious download or a fake login page. If a site you use starts behaving oddly, close the tab and don't re-enter passwords.

How did the attacks work?

The hackers scan the open internet for Joomla sites, then poke each one to see which extensions are installed. When they find iCagenda or Balbooa Forms at a vulnerable version, they send a crafted upload request. The extension saves the attacker's file into a public folder on the server. The attacker then simply visits that file's URL in a browser, and the server runs it.

The failure mode here is depressingly familiar: an extension that trusts user input, a site owner who never updates plug-ins, and a scanner that finds them both.

What site owners need to do now

CISA has given U.S. federal civilian agencies until early December 2025 to patch, mitigate, or remove the affected extensions. Everyone else should do the same on the same timeline. Update iCagenda and Balbooa Forms to the latest versions from the official Joomla Extensions Directory. If you don't actually use them, uninstall them, don't just disable them. Check the server's upload folders for files you didn't put there, especially anything ending in .php.

One thing the post-mortem will say: nobody was watching the extensions.

Operational takeaway: on any CMS, treat every third-party add-on as an unlocked side door until proven otherwise.

© 2026 Threat Vectr