A maximum-severity zero-day vulnerability in JoomShaper's popular SP Page Builder extension is under active, widespread exploitation. Tracked as CVE-2026-48908, the flaw has officially been added to CISA's Known Exploited Vulnerabilities catalog due to high-volume botnet automation targeting web properties globally.
Unlike simple home-page defacements, this exploit grants unauthenticated remote actors total control over your server backend, allowing them to steal data, plant persistent backdoors, and execute malicious scripts.
How the Attack Vector Operates
The vulnerability exists because a specific administrative endpoint intended to process custom icon uploads lacks an authentication check and fails to restrict file types. Automated scripts can query this task directly and upload raw executable PHP code straight into a web-accessible folder.
Once the file is written to disk, the botnet executes the script to establish permanence. The automated payload instantly generates a rogue Joomla Super Administrator account—frequently using fake emails ending in @secure.local—and seeds file manager backdoors across hidden folders like /media/com_admin/ and deep within image directories.
How to Audit and Protect Your Environment
1. Update Immediately: This critical issue affects all versions up to and including 6.6.1. You must update your SP Page Builder installation to version 6.6.2 right now to close the unauthenticated upload path. Unpublishing the component is not enough.
2. Hunt for Rogue Admins: Upgrading closes the entry point, but it will not remove hackers who have already created accounts. Navigate to your Joomla User Manager and audit your Super User list. Look for unauthorized usernames or suspicious @secure.local email extensions and delete them immediately.
3. File System Clean: Inspect your directories for unexpected PHP web shell files. Pay close attention to your /images/, /media/, and temporary directories, searching for recent, unauthorized file modifications.
Common Log Indicators and Search Terms
Administrators auditing server access logs or investigating server overloads should look for the following precise signatures used by the automated exploits:
- task=asset.uploadCustomIcon (The exact unauthenticated controller task queried in malicious HTTP POST requests).
- option=com_sppagebuilder&task=asset.uploadCustomIcon (The full URL query string flooding Apache, Nginx, or LiteSpeed access logs).
- @secure.local (The default email domain used by the automated scripts to generate rogue, stealthy Super Administrator accounts).
- /media/com_sppagebuilder/assets/iconfont/ (The default server directory where attackers are uploading and executing raw PHP web shells).
- CVE-2026-48908 (The maximum-severity 10.0 CVSS tracking ID for this specific pre-authentication remote code execution flaw).

Comments