CISA Orders Federal Agencies to Patch Max-Severity Joomla Plugin Flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch agencies to patch a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin by the end of this week. The directive follows active exploitation of the flaw, tracked as CVE-2026-48907.

The vulnerability carries a CVSS score of 10.0 and affects all Joomla deployments using the JCE WYSIWYG editor plugin. It allows unauthenticated attackers to upload and execute arbitrary PHP code through improper access control in editor profile creation. The JCE security team addressed the issue in early June with version 2.9.99.6, warning that working exploit code is public and attacks are automated.

CISA Directive and Broader Patching Mandate

CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities Catalog on Tuesday, triggering Binding Operational Directive 26-04. That directive, issued last week, requires agencies to prioritize patches based on exploitation risk, internet exposure, and the potential for automated attacks. Agencies must secure affected systems by Friday or discontinue use of the product if mitigations are unavailable.

• The vulnerability requires no authentication and has low attack complexity, making it attractive for automated exploitation.
• JCE advised that updating does not clean already-compromised sites; administrators must also delete attacker profiles, change all passwords, and run full malware scans.
• In a separate incident, researchers reported that Microsoft Teams relay servers have been abused in a DragonForce ransomware attack to deploy a Go-based backdoor for command-and-control.
• Windows and Linux users face an approaching deadline to update Secure Boot keys due to certificate expiration, which could leave systems vulnerable to boot-level attacks.

Implications for Enterprise Security Posture

The rapid move from public exploit disclosure to active exploitation underscores the shrinking window between patch release and weaponization. For organizations running Joomla with the JCE plugin, the risk extends beyond the federal government. Any internet-facing deployment with unauthenticated user registration is a viable target. JCE warned that sites with no public registration are not safe because automated scanners probe for the vulnerable endpoint directly.

Meanwhile, AMD has drawn criticism after quietly disabling memory encryption on some consumer Ryzen CPUs without public explanation. The change affects Zen 5 based chips such as the Ryzen 7 9700X, removing a feature that protects against cold boot and DMA attacks. Privacy conscious users who discovered the change found no mention of it in release notes or chipset driver updates.

Security teams should verify that their vulnerability management processes can handle the current pace of high severity disclosures. CISA's BOD 26-04 provides a framework for evaluating exposure, but private sector organizations should apply the same rigor. With time to exploitation now measured in days, patching remains the most effective defense.