CISA has confirmed active exploitation of two critical zero-day vulnerabilities in popular Joomla extensions. Both flaws carry maximum CVSS 10.0 severity ratings and appear in the agency's Known Exploited Vulnerabilities catalog following reports of real-world attacks.

CVE-2024-48939 affects the iCagenda extension for Joomla. The flaw allows attackers to execute arbitrary code on vulnerable servers without authentication. Administrators using iCagenda should treat this as immediately exploitable. The vulnerability stems from insufficient input validation in the extension's core functions.

A second critical flaw impacts the Balbooa Forms component, also for Joomla. This vulnerability enables unauthenticated remote code execution through form submission endpoints. Attackers can bypass security checks and inject malicious code directly into affected systems.

Both extensions serve essential functions in Joomla ecosystems. iCagenda manages event calendars and scheduling across thousands of websites. Balbooa Forms handles customer data collection and contact submissions. The combination of high adoption rates and maximum severity ratings means exposure is widespread.

CISA's addition to the KEV catalog signals that threat actors actively weaponize these flaws. Organizations running either extension face immediate risk. Attackers can compromise sites without valid credentials or special access.

Joomla administrators should immediately check installed extensions and remove or disable iCagenda and Balbooa Forms if deployed. Patches for both vulnerabilities have been released. iCagenda users should update to the latest patched version. Balbooa Forms administrators should apply available security updates from the extension vendor.

Organizations unable to patch immediately should isolate affected Joomla installations from external networks or place them behind additional authentication layers. Web application firewalls can block known exploitation patterns if configured properly.

The timing of CISA's