A massive unauthenticated Remote Code Execution (RCE) campaign is actively targeting the popular JCE Editor extension. Unlike simple front-page defacements, the JCE hack allows completely unauthenticated remote actors to silently compromise your underlying file system and database.
How the JCE Attack Chain Works
1. Broken Access Control: Attackers send an unauthenticated HTTP POST request to the JCE profile synchronization task endpoint.
2. Profile Hijacking: The botnet imports a rogue, custom editor configuration profile (often setting a negative ordering value like -99999 to force it to the top of the list).
3. Upload Bypass: The rogue profile explicitly disables MIME validation and overrides native safety features, allowing the unauthenticated attacker to immediately upload and execute a malicious PHP web shell.
How to Audit and Cure a JCE Infection
1. Inspect Profiles: Go to your JCE Components menu, open Editor Profiles, and look for unauthorized configurations with machine-generated labels or anomalous negative order values. Delete them immediately.
2. Scan the File System: Audit your public web-accessible directories, specifically /tmp, /media, /images, and the template roots, for unexpected PHP scripts containing encoded commands or web shell frameworks.
3. Update the Extension: Immediately upgrade JCE Editor to version 2.9.99.8 or newer to ensure the unauthenticated controller endpoints are locked behind valid admin authentication sessions.

Comments