Active Exploitation of JCE Editor (CVE-2026-48907)

A massive unauthenticated Remote Code Execution (RCE) campaign is actively targeting the popular JCE Editor extension. Unlike simple front-page defacements, the JCE hack allows completely unauthenticated remote actors to silently compromise your underlying file system and database.

How the JCE Attack Chain Works

1. Broken Access Control: Attackers send an unauthenticated HTTP POST request to the JCE profile synchronization task endpoint.

2. Profile Hijacking: The botnet imports a rogue, custom editor configuration profile (often setting a negative ordering value like -99999 to force it to the top of the list).

3. Upload Bypass: The rogue profile explicitly disables MIME validation and overrides native safety features, allowing the unauthenticated attacker to immediately upload and execute a malicious PHP web shell.

How to Audit and Cure a JCE Infection

1. Inspect Profiles: Go to your JCE Components menu, open Editor Profiles, and look for unauthorized configurations with machine-generated labels or anomalous negative order values. Delete them immediately.

2. Scan the File System: Audit your public web-accessible directories, specifically /tmp, /media, /images, and the template roots, for unexpected PHP scripts containing encoded commands or web shell frameworks.

3. Update the Extension: Immediately upgrade JCE Editor to version 2.9.99.8 or newer to ensure the unauthenticated controller endpoints are locked behind valid admin authentication sessions.

Comments