December 29, 2015 By Douglas Bonderud 2 min read

According to US-CERT, Joomla has just released version 3.4.7 of its open-source content management system (CMS) in an effort to lock down two new vulnerabilities, one of which could grant attackers full control of an affected website. As noted by SecurityWeek, the severity of these flaws didn’t go unnoticed: Symantec tracked an average of 16,000 hits per day attempting to exploit the issue. Here’s a rundown of what’s at risk with an unpatched Joomla install.

Joomla Security Risks

For almost a decade, a critical remote command execution vulnerability has existed in Joomla; versions 1.5 through 3.4.5 are affected by CVE-2015-8562. According to Ars Technica, while Joomla security teams patched the vulnerability within two days, the bug was already being exploited in the wild on IP addresses 146.0.72.83, 74.3.170.33 and 194.28.174.106. In addition, any events using either “JDatabaseDriverMysqli” or “O:” in the user agent were likely attack vectors.

So what’s the big risk here? CVE-2015-8562 leverages an issue with poor filtering when Joomla saves browser session values. As detailed by Sucuri, exploiting this flaw and combining it with the result of MySQL meeting a UTF-8 character that isn’t supported by uft8_general_ci — which causes data truncation from a specific value — it’s possible to launch an attack that could fully compromise servers. Cybercriminals then use the servers as malware hosts or sell access to them for a fee on the Dark Web.

Big Numbers

Given the relative simplicity of the flaw and the substantial impact if exploited, its no wonder attackers were eager to jump on the problem in the wild. In an effort to determine which servers are still vulnerable, cybercriminals have been swinging for the fences, sending out HTTP requests and analyzing the responses of phpinfo() and eval(chr()) functions to find likely targets. The result? Symantec clocked a high point of more than 20,000 attempts in a single day, with day-to-day averages hovering around 16,000 hits, according to SecurityWeek.

It makes sense that cybercriminals would be working overtime trying to exploit the vulnerability. While WordPress still dominates the CMS marketplace, Joomla holds a solid second place with over 550,000 Web pages using the open-source service, including Linux.com, The Hill online newspaper and Harvard University. Full access to any of these servers would let malicious actors wreak havoc; Malware distribution, DDoS attacks and stolen data are all potential outcomes.

The takeaway here? Even with Joomla security on the ball, there’s no guarantee that existing code flaws won’t crop up and cause problems for big companies. The solution? Active monitoring for starters — just because an application, CMS or cloud-based service seems secure, that’s no reason to turn a blind eye if odd behaviors start to emerge. Immediate patching is also critical. Within two days, Joomla rolled out version 3.4.6 and closed the security hole but in the time hits were already skyrocketing. Two more days and 32,000 attacks could slip through. A week? More than 110,000.

It’s simple: Attackers love vulnerabilities. Existing problems continue to emerge, even in well-used and thoroughly tested software. No protection is perfect, but dodging the hacker haymaker requires constant vigilance — and immediate updating.

More from

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today