Critical SP Page Builder RCE Vulnerability — Immediate Upgrade to 6.6.2 Required

A critical zero-day vulnerability has been identified in SP Page Builder (com_sppagebuilder) for Joomla. The vendor has released an emergency security patch in version 6.6.2.

All 6.x versions up to and including 6.6.1 are vulnerable.

This issue enables unauthenticated Remote Code Execution (RCE) via arbitrary file upload. Active exploitation has been observed.

At Galussothemes, we recommend treating this as a high-priority security incident.

Vulnerability Overview

Type: Unauthenticated arbitrary file upload
Impact: Remote Code Execution (RCE)
Risk Level: Critical
Affected Versions: 6.x ≤ 6.6.1
Patched Version: 6.6.2

The flaw allows an external attacker (no login required) to upload a malicious PHP file and execute it through a web request, resulting in full control of the Joomla installation.

Technical Breakdown

The vulnerability originates in the internal task handler:

asset.uploadCustomIcon

Security Control Failures

• Authentication not properly enforced
• Authorization checks insufficient
• Missing/weak CSRF validation
• File type validation inadequate
• Uploaded files written to a web-accessible directory

Attack Chain

1. Send crafted request to vulnerable endpoint
2. Upload malicious PHP payload
3. Execute payload via browser
4. Gain server-side code execution

This grants the attacker the same privileges as the web server process.

Important: Disabling the Extension Is Not a Fix

Deactivating SP Page Builder does not remove exposure.
The vulnerable endpoint remains reachable.

Only upgrading to version 6.6.2 closes the entry point.

What Was Fixed in 6.6.2

The patched version implements:

• Mandatory authenticated sessions
• Proper authorization validation
• Enforced CSRF token verification
• Rejection of anonymous task requests

The upload function is now correctly secured.

Post-Exploitation Risk: Persistence Mechanisms

If exploitation occurred before patching, attackers likely established persistence.

Updating alone does not guarantee the system is clean.

Indicators of Compromise (IoCs)

1) Unauthorized Super User Accounts

Common patterns observed:

• Account names such as:
  • “Web Editor”
  • “Admin Backup”
• Email addresses ending in:
  @secure.local
  

This domain is not legitimate for Joomla accounts.
If present, treat the environment as compromised.

2) Malicious PHP Backdoors

Attackers deploy file-manager-style PHP shells (often with SQL console capability).

Typical locations:

• images/.../fonts/
• media/com_admin/
• media/regularlabs/

Common filename:

• users.php

File content may contain:

PHP File manager

Multiple copies are usually deployed for redundancy.

Immediate Remediation Steps

Step 1 — Upgrade to SP Page Builder 6.6.2

Method A: Joomla Updater

• System → Updates → Check for Updates
• Update SP Page Builder

Method B: Manual Installation

• Download version 6.6.2 from the official vendor
• Install via Extensions → Manage → Install

If previous emergency file removals were performed, do not restore legacy files. Perform a clean installation of 6.6.2.

Step 2 — Conduct Compromise Assessment

A) Audit Joomla User Accounts

• Review all Super Users
• Remove unauthorized accounts
• Investigate any @secure.local email entries

B) Scan Filesystem

Search for:

• Unexpected .php files in /images/
• users.php under /media/com_admin/
• users.php under /media/regularlabs/

If one malicious file is found, assume additional implants exist.

C) Correlate Logs Carefully

Joomla timestamps use the timezone defined in configuration.php.
Server logs frequently use UTC.

Normalize timezones before analyzing events.

If Compromise Is Confirmed

Treat the system as fully breached.

Mandatory actions:

1. Remove all unauthorized administrator accounts
2. Delete all backdoor file instances
3. Rotate credentials:
   • Joomla admin passwords
   • Database credentials
   • FTP/SSH keys
4. Terminate active sessions
5. Perform full integrity review of the application

A successful update does not eliminate previously installed persistence mechanisms.

Temporary Mitigation (If Upgrade Is Delayed)

As an interim containment measure:

• Block requests containing asset.uploadCustomIcon
• Block encoded traversal patterns such as %2e

This is not a permanent solution. Upgrade remains mandatory.

Hardening Recommendations

To reduce future exposure:

• Disable PHP execution in /images/ and /media/ directories
• Apply WAF rules targeting suspicious Joomla task parameters
• Implement file integrity monitoring
• Restrict unnecessary write permissions

Defense-in-depth minimizes impact but does not replace timely patching.

Recommended Action Plan

1. Upgrade SP Page Builder to 6.6.2 immediately
2. Perform full user and filesystem audit
3. Remove persistence artifacts
4. Rotate all credentials
5. Implement server-level hardening controls

At Galussothemes, we advise Joomla administrators to prioritize patch deployment and forensic validation to ensure complete remediation.

Act immediately to prevent unauthorized access and long-term compromise.