Responsible Security Disclosure – SP Page Builder Exploit Toolkit Targeting Versions Prior To 6.6.2 - Question | JoomShaper

Responsible Security Disclosure – SP Page Builder Exploit Toolkit Targeting Versions Prior To 6.6.2

L

linda

SP Page Builder 2 weeks ago

Dear JoomShaper Security Team,

We recently completed a forensic investigation following the compromise of one of our production Joomla servers.

Although the SP Page Builder vulnerability has already been addressed, our investigation recovered what appears to be the complete toolkit used by the attackers to automate exploitation of vulnerable installations.

The recovered package includes:

  • Multiple Python exploit variants (including different revisions)
  • Payload generators
  • ZIP payloads
  • A compiled Linux scanning binary
  • Target lists used by the toolkit
  • Supporting files associated with the exploitation workflow

During the incident, the attackers successfully uploaded PHP webshells into the following directory:

/media/com_sppagebuilder/assets/iconfont/icofont/fonts/

The recovered toolkit specifically targets the custom icon upload functionality and contains automation for scanning, exploitation, payload deployment, and verification.

We believe these samples may help your security team:

  • Better understand how the exploit has been weaponized in the wild.
  • Improve future detection capabilities.
  • Identify additional Indicators of Compromise (IOCs).
  • Enhance protection for SP Page Builder users.

If preferred, we can also provide:

  • SHA-256 hashes
  • IOC lists
  • Timeline of the attack
  • Webshell samples recovered from compromised websites
  • Additional forensic findings from our investigation

We hope this information will be useful to your security team and contribute to improving the security of the Joomla ecosystem.

Kind regards,

Majdi Al Haj Hussin MazajNet Security Team https://www.mazajnet.com

0
7 Answers
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 2 weeks ago #226993

Dear Majdi,

Thank you for reaching out and for responsibly disclosing your findings.

We appreciate the time and effort your team has invested in investigating this incident and collecting the forensic evidence. The information you've described—including the exploit toolkit, payloads, webshell samples, IOCs, and the attack timeline—is valuable for our security analysis and helps us further strengthen our detection and response capabilities.

The vulnerability you mentioned was already identified and fixed in SP Page Builder v6.6.2. We continuously monitor, review, and improve the security of our products to help protect our users against emerging threats.

Thank you again for taking the time to share your findings and for contributing to the security of the SP Page Builder and Joomla ecosystem.

Kind regards,

0
L
linda
Accepted Answer
2 weeks ago #226999

I know, there is a new one, for 6.2.2, check the files the attached link

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 2 weeks ago #227014

I see the files are marked as a virus and I cannot download them.

I apologize for the inconvenience. Could you please create a ZIP file and share it with me? Google is flagging it as a virus.

Thanks.

0
L
linda
Accepted Answer
2 weeks ago #227126

i dont know how to send you the files, but the file start with

""" SP Page Builder < 6.6.2 - Unauthenticated RCE PoC

All-in-one: auto-crafts ZIP + uploads + verifies.

Modes: python3 exp.py -T target.com # Hello World (verify RCE) python3 exp.py -T target.com shell # Backtick webshell python3 exp.py -T target.com shell2 # Dropper: downloads full webshell as halo.PHP python3 exp.py -l targets.txt shell # Mass scan shell mode python3 exp.py -l targets.txt shell2 # Mass scan dropper mode """

Every day, I have a site get hacked, and its index is replaced with some gambling sites, and the site have SP Page Builder 6.2.2,

so i think there is still something allow hackers to hack

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 2 weeks ago #227131

Please, use this platform: https://files.fm/

Thanks

0
L
linda
Accepted Answer
2 weeks ago #227194

ok password to open the file is : bitninja

here is the link https://files.fm/u/7pe2fzmse6

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227212

File downloaded and forwarded to our dev team.

Thanks for your support. Best Regards,

0