CISA orders feds to patch max severity Joomla plugin flaw by Friday
- June 17, 2026
- 06:09 AM
- 0
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild.
Tracked as CVE-2026-48907, this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.
"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA warned on Tuesday.
The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible.
"If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe," it said.
"One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind."
To clean compromised sites, users are advised to first back up the rogue profiles for further investigation, then update to JCE 2.9.99.6 or later, delete the attacker's profile, change all passwords (including those for the administrator account, the site's database, and the hosting account), and then run a full server-side malware scan to confirm no other malicious tools or implants were planted.
On Tuesday, CISA added the vulnerability to its list of actively exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems by Friday, as required by Binding Operational Directive (BOD) 26-04.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned yesterday. "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines."
CISA BOD 26-04 was issued last Wednesday and requires U.S. government agencies to prioritize patching based on each vulnerability's risk of exploitation.
Key factors to consider when assessing the risks include whether the flaw is included in CISA's Known Exploited Vulnerabilities Catalog, whether vulnerable assets are publicly exposed online, whether exploitation can be automated for large-scale attacks, and whether it grants attackers partial or total control of the targeted system.
FTC warns of record $3.5 billion losses to imposter scams in 2025
- June 16, 2026
- 09:42 AM
- 0
The U.S. Federal Trade Commission (FTC) warned that Americans lost $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020.
Imposter scams were also the most reported fraud category last year, accounting for nearly one in three fraud reports filed with the FTC. In these scams, the fraudsters reach victims through text messages, phone calls, emails, social media, and search engine results. The costliest schemes typically involve a fake bank security alert that prompts targets to transfer funds to "protect" their accounts.
According to the FTC, victims lost nearly $1 billion to business impersonators (with bank impersonators being behind the most lucrative scams) and approximately $920 million to government impersonators. Social media was the most cost-effective attack vector for impersonators, with more than $2.1 billion in 2025 losses traced to social platforms (an eightfold increase since 2020).
Nearly one in three Americans who lost money in such scams were first contacted through social media, with Facebook losses alone exceeding those from text and email combined, while WhatsApp and Instagram ranked second and third.
"The FTC will use every tool available to combat one of the most pernicious forms of fraud—government and business impersonation—and to protect the integrity of the digital economy," said Christopher Mufarrige, director of the FTC's Bureau of Consumer Protection.
Overall reported fraud losses across all categories have surged to about $16 billion in 2025, the highest on record and roughly 25% above the prior year.
In March 2024, the FTC also warned that scammers were impersonating its employees to steal money after receiving many reports of scams in which fraudsters impersonated agency personnel to pressure Americans via phone calls, email, or text messages into wiring or transferring money.
Since its Impersonation Rule took effect in April 2024, the FTC has brought a dozen enforcement actions, securing more than $70 million in consumer redress and halting some imposter schemes.
Last year, the FTC announced law enforcement actions under this rule against MediaAlpha (government imposter scheme), American Tax Service (IRS imposter scheme), Blackstone Legal (phantom debt business imposter scheme), Click Profit (business imposter money-making scam), and Accelerated Debt Settlement (government and business imposter scheme).
It also filed a complaint against Innovative Partners in April 2026, alleging the company impersonated the government and insurance carriers to sell fraudulent health plans.
The same month, the FBI warned in its 2025 Internet Crime Report that U.S. victims lost almost $21 billion to cyber-enabled crimes throughout last year.
No comments:
Post a Comment