Critical Vulnerabilities in Joomla and LiteSpeed Lead to Active Exploitation, Urging Immediate Updates

Summary

Security experts report that vulnerabilities in Joomla's Content Editor (JCE) and the LiteSpeed cPanel plugin have been exploited by threat actors to execute arbitrary code and escalate privileges on affected systems. The JCE vulnerability, identified as CVE-2026-48907, allows unauthenticated attackers to upload editor profiles leading to PHP code execution. All versions of JCE Pro before 2.9.99.5 are vulnerable. LiteSpeed's plugin is compromised by a symlink handling flaw (CVE-2026-54420), enabling privilege elevation on shared hosting servers. Both vulnerabilities have been added to the Known Exploited Vulnerabilities catalog by CISA, urging immediate patching.

What Happened

The Joomla Content Editor (JCE) vulnerability permits unauthenticated attackers to upload arbitrary files, leading to PHP code execution. This flaw affects all JCE Pro versions prior to 2.9.99.5 and was patched in version 2.9.99.6 released on June 6. Meanwhile, LiteSpeed's cPanel plugin is susceptible to a symlink vulnerability (CVE-2026-54420) that allows users with FTP or web shell access to escalate their privileges to root level. This defect impacts all versions before 2.4.8, which was patched on June 1.

Exploitation Status

Both vulnerabilities are actively exploited in the wild. The JCE flaw has been used for automated attacks, as confirmed by Joomla's warning that even sites without public registration are at risk. LiteSpeed users have also reported exploitation of their plugin vulnerability since May. CISA has added these issues to its Known Exploited Vulnerabilities catalog, highlighting the urgency for federal agencies and other organizations to patch them.

Indicators of Compromise

Joomla has provided indicators of compromise (IoCs) to assist administrators in identifying potential breaches on their sites. However, updating software alone will not remove any malicious files or code left by attackers. Site admins must conduct thorough investigations to ensure complete remediation.

Affected Products and Fixed Versions

• Joomla Content Editor (JCE): Vulnerable versions are all JCE Pro releases before 2.9.99.5. The issue was addressed in version 2.9.99.6.
• LiteSpeed cPanel Plugin: All versions prior to 2.4.8 are affected by the symlink vulnerability.

Detection Opportunities

For Joomla, admins should monitor for unauthorized uploads of editor profiles and unexpected PHP file executions. LiteSpeed users can use the command provided by maintainers to check if their servers have been compromised due to improper symlink handling.

Why This Matters for Defenders

The exploitation of these vulnerabilities underscores the critical need for timely updates and vigilant monitoring. Automated attacks leveraging known exploits pose significant risks, especially when they allow attackers to execute arbitrary code or escalate privileges on affected systems. Organizations must prioritize patching and forensic triage to mitigate potential damage.

Defender Guidance

1. Update Immediately: Deploy the latest versions of Joomla's JCE (2.9.99.6) and LiteSpeed's cPanel plugin (2.4.8).
2. Monitor for IoCs: Use Joomla's provided indicators to identify any signs of compromise.
3. Conduct Forensic Analysis: Even after patching, thoroughly investigate systems for residual malicious activity.
4. Adhere to CISA Guidelines: Follow the directives outlined in BOD 26-04 for prioritizing security updates and conducting forensics triage.

What Remains Unclear

Details on the specific methods used by attackers to exploit these vulnerabilities are not fully disclosed, leaving some uncertainty about potential additional attack vectors. Further information may emerge as more organizations report incidents related to these flaws.