Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerable Joomla Servers See 16,000 Daily Attacks

Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.

Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.

The vulnerability, identified as CVE-2015-8562, was patched in mid-December with the release of Joomla 3.4.6 and hotfixes for versions 1.5 and 2.5. The first attempts to exploit the flaw, which affects installations running Joomla 1.5.0 through 3.4.5, were spotted two days before the developers of the popular content management system (CMS) released patches.

Symantec has been monitoring attack attempts and detected, on average, 16,000 daily hits since the vulnerability was disclosed.

Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of-service (DDoS) attacks. Some of the compromised machines can also host valuable information.

Symantec reported seeing infected servers being used to redirect victims to exploit kits, and possibly for hosting malware.

The Joomla vulnerability targeted by attackers is caused by the lack of proper filtering when saving browser session values into the database. Sucuri has published a blog post detailing the flaw and how it can be exploited.

According to researchers, malicious actors have been trying to determine which servers are vulnerable by sending out HTTP requests and analyzing responses when functions such as phpinfo() and eval(chr()) are executed.

Once a vulnerable server is identified, the attackers install a backdoor that allows them to execute commands, upload and download files, and modify the websites hosted on the server.

Administrators can check their web access logs for suspicious requests, and if malicious requests were sent before the Joomla installation was patched, it should be assumed that the system has been breached.

In mid-November, Symantec reported that malicious actors had sent out thousands of requests each day in an effort to find vBulletin servers plagued by a vulnerability patched on November 2.

The security company noted that the methods used by attackers to find vulnerable vBulletin installations are similar to the ones leveraged now against Joomla servers.

UPDATE. Joomla developers said the root cause of the vulnerability is a PHP bug patched in September. Joomla 3.4.7 has been released to address this critical issue along with a low level flaw, and to harden the MySQLi driver to help prevent object injection attacks.

“The only Joomla sites affected by [the vulnerability exploited in the wild] are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions,” Joomla developers said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.