Bitdefender Vulnerability Report - SP Page Builder 6.6.2 - Question | JoomShaper

Bitdefender Vulnerability Report - SP Page Builder 6.6.2

MR

Murugappan Ramanathan

SP Page Builder 1 week ago

The following is the Vulnerability Report from Bitdefender Antivirus System on Page Builder 6.6.2. Please review and provide the fixed version urgently.

Vulnerability Report from Bitdefender:

MDR security analysts have identified continued malicious activity associated with the ongoing incident. Please review the following update.

Impacted hosts: vps.crm.emastpa.com.my Affected hosted application/domain: corporate.misocue.com

New Activity: Our investigation indicates that the attacker continues attempting to exploit the vulnerable Joomla SP Page Builder component by uploading new PHP web shells to the following location: "/home/emascorp/public_html/media/com_sppagebuilder/assets/iconfont//fonts/.php"

This activity is consistent with repeated exploitation of the vulnerable SP Page Builder "asset.uploadCustomIcon" functionality. As the affected host remains accessible from the internet and the vulnerable extension has not yet been remediated, the attacker is able to continue submitting new upload attempts.

Please note that removing previously identified web shells alone will not prevent further compromise. As long as the vulnerable SP Page Builder extension remains exposed, new PHP web shells can continue to be uploaded by the attackers.

Actions taken by MDR:

  • Identified and validated newly observed web shell upload attempts associated with the vulnerable upload endpoint.
  • Removed the identified webshells under "/home/emascorp/public_html/media/com_sppagebuilder/assets/iconfont//fonts/.php"

Required actions by the customer:

  • Immediately upgrade the Joomla SP Page Builder extension to a version that addresses CVE-2026-48908 (or the latest available version).
  • Upgrade Joomla and all installed extensions to fully supported and patched versions.
  • Restrict external access to the vulnerable upload endpoint using a Web Application Firewall (WAF), reverse proxy rules, or temporary access controls until remediation has been completed.
  • If patching cannot be completed immediately, we strongly recommend temporarily taking the affected website offline or isolating the host from the internet to prevent further compromise.
  • Rotate credentials for the "emascorp" account and any additional credentials that may have been exposed.
  • Review all Joomla administrator accounts for unauthorized additions or modifications.
  • Review and remove any unexpected cron jobs or persistence mechanisms.
  • Review SSH configuration, authorized_keys, known_hosts, and shell history files for evidence of unauthorized access or lateral movement.
  • Rotate SSH keys and any secrets that may have been accessible from the compromised host.
  • If the integrity of the server cannot be fully validated, rebuild the system from a known-good backup after preserving forensic evidence.
0
1 Answers
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227866

Hello,

We sincerely apologize for the inconvenience caused.

This issue has been fixed in SP Page Builder v6.6.2. Once you upgrade to v6.6.2, this specific vulnerability can no longer be exploited.

However, if your site was compromised before upgrading, simply updating the extension will not remove any malicious files or backdoors that may have already been uploaded. If those files remain on the server, attackers may still be able to access your site. Therefore, it is important to perform a complete cleanup before considering the site secure. Please follow the cleanup guide here: https://www.joomshaper.com/forum/question/45152 You can also use the following security scanner to help identify malicious files and delete them: https://github.com/zkrana/joomla-security-scanner Please make sure to read the README.md file in the repository for instructions on how to run the tool. After completing the cleanup and upgrading to v6.6.2, please let us know the outcome or if you need any further assistance.

We'll be happy to help. Thank you.

0