CISA orders feds to patch critical Joomla bug by Friday

CISA is directing all U.S. federal agencies to apply a critical security patch for a widely used Joomla plugin by the end of this week. The directive targets a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin, which attackers are already actively exploiting in real-world campaigns.

The agency’s Binding Operational Directive (BOD) 22-01 mandates that civilian executive branch departments and agencies must remediate the flaw by Friday, June 19, 2026. This aggressive timeline reflects the severe risk posed by the bug, which carries a CVSS score of 10.0, the highest possible rating. The vulnerability allows unauthenticated attackers to execute arbitrary code on affected websites, potentially leading to full site compromise, data theft, or malware deployment.

Security researchers first identified the flaw, tracked as CVE-2024-12345, in early June. Proof-of-concept exploit code quickly emerged, followed by reports of active exploitation targeting Joomla sites using the JCE plugin. The plugin is a popular content editor used by thousands of websites, making the vulnerability a prime target for automated scanning and mass attacks.

CISA’s order applies to all federal information systems, but the agency strongly urges private sector organizations and website administrators using Joomla with the JCE plugin to apply the patch immediately. The update, version 2.9.7 of the JCE plugin, addresses the remote code execution vulnerability and is available from the developer’s official site.

Organizations that fail to comply with the federal mandate risk enforcement actions, including potential removal from government networks. For non-federal entities, the consequences of inaction could be far more severe: data breaches, ransomware infections, or loss of customer trust. Administrators should verify their Joomla installations and plugin versions without delay, as attackers continue to scan for unpatched systems.