Critical Joomla RCE bug actively exploited, patch immediately!

An eight-year-old Joomla critical remote code execution vulnerability, which is being actively exploited in attacks in the wild, has been patched by the developers of the popular open-source content management system in the newest release (v3.4.6).

The flaw (CVE-2015-8562) is present in Joomla versions 1.5.0 through 3.4.5, and is so severe that even though some older versions of the software have reached end of life and are no longer being developed or supported by the Joomla project, a patch has been provided for them.

“What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days,” Sucuri CTO Daniel Cid pointed out on Monday.

“Looking back at our logs, we detected the first exploit targeting this vulnerability on Dec 12, at 4:49PM,” he shared. “We detected many more exploits from this same IP address “74.3.170.33” on Dec 12th, followed by hundreds more exploit attempts from 146.0.72.83 and 194.28.174.106 on Dec 13th. Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.”

Joomla users are advised to update their websites as soon as possible (and switch to a supported version of the software if they haven’t already).

“If you are a Joomla user, check your logs right away,” Cid also advised. “Look for requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for ‘JDatabaseDriverMysqli’ or ‘O:’ in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.”