We noticed there is already another thread discussing suspicious activity around the uploadCustomIcon functionality, but we decided to open a separate topic because we have now collected concrete forensic evidence from a production environment.

We are running:

Joomla 6.1.1 (latest version) SP Page Builder Pro 6.6.2 Official licensed version downloaded directly from JoomShaper No nulled extensions or modified packages

Over the last 24 hours we observed a large number of automated attacks targeting the following endpoint:

index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon

Our hosting provider's malware protection system logged multiple upload attempts from different IP addresses worldwide. The uploaded payloads contained PHP webshells hidden inside ZIP archives.

The malware scanner reports clearly show the requests being processed through:

option=com_sppagebuilder&task=asset.uploadCustomIcon

and the extracted files appearing under:

/media/com_sppagebuilder/assets/iconfont/<random>/fonts/

During the investigation we recovered an actual webshell from that directory:

/media/com_sppagebuilder/assets/iconfont/icoclfsko/fonts/fmbhvzr.PHP

Based on the logs, the attack pattern appears to be:

Direct frontend request to asset.uploadCustomIcon Upload of a ZIP archive Archive extraction into the iconfont directory Creation of executable PHP files Remote command execution

At the moment we have mitigated the issue by:

Blocking task=asset.uploadCustomIcon via .htaccess Disabling PHP execution inside /media/com_sppagebuilder/ Removing all discovered shells

Can the development team please clarify:

Is this a known issue? Should this endpoint require administrator authentication? Has a security fix already been released? Is there any official mitigation available?

Any feedback would be greatly appreciated, as this is currently affecting multiple production websites.

Thank you.