<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Joomla &lt; 5.2.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/joomla--5.2.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 13:45:49 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/joomla--5.2.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>JoomShaper SP LMS PHP Object Injection Leads to RCE (CVE-2026-48909)</title><link>https://feed.craftedsignal.io/briefs/2026-07-joomshaper-sp-lms-rce/</link><pubDate>Mon, 06 Jul 2026 13:45:49 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-joomshaper-sp-lms-rce/</guid><description>A critical PHP object injection vulnerability (CVE-2026-48909) in JoomShaper SP LMS versions &lt;= 4.1.3 allows unauthenticated attackers to achieve remote code execution (RCE) via a crafted 'lmsOrders' cookie, leading to webshell deployment on vulnerable Joomla installations (&lt; 5.2.2).</description><content:encoded><![CDATA[<p>A high-severity PHP object injection vulnerability, identified as CVE-2026-48909, has been discovered and publicly exploited in JoomShaper SP LMS versions up to 4.1.3. This vulnerability, affecting a popular Joomla Extension, enables an unauthenticated remote attacker to execute arbitrary code on the underlying server. Exploitation occurs by sending a specially crafted 'lmsOrders' cookie to the <code>com_splms&amp;view=cart</code> endpoint. If the main Joomla CMS version is older than 5.2.2, a known gadget chain involving <code>FormattedtextLogger::__destruct()</code> can be leveraged to write a webshell to disk, granting the attacker full control over the compromised web server. The availability of a public exploit significantly increases the risk for unpatched systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious PHP serialized object payload designed to trigger the object injection gadget chain.</li>
<li>The attacker carefully base64-encodes this payload, manipulating it to avoid characters (<code>/</code>, <code>+</code>, <code>=</code>) that would be filtered by Joomla's input sanitizer when transmitted in a cookie.</li>
<li>The attacker sends an HTTP GET request to the <code>/index.php?option=com_splms&amp;view=cart</code> endpoint of the vulnerable Joomla instance, including the specially crafted payload within the <code>lmsOrders</code> cookie.</li>
<li>The vulnerable <code>com_splms</code> component retrieves the <code>lmsOrders</code> cookie, base64-decodes it, and then <code>unserialize()</code>s the PHP object.</li>
<li>During the deserialization process, if the Joomla CMS version is less than 5.2.2, the <code>FormattedtextLogger::__destruct()</code> gadget is triggered, calling <code>File::write()</code> with attacker-controlled data.</li>
<li>This action writes an initial PHP loader (containing <code>hex2bin()</code> to write the real payload) to a specified, PHP-writable path on the server (e.g., <code>/tmp/x.php</code>).</li>
<li>The attacker then makes a subsequent HTTP GET request to the newly created loader file, causing it to execute and write the full PHP webshell to the same location.</li>
<li>Finally, the attacker can interact with the deployed webshell by sending commands via URL parameters (e.g., <code>?c=id</code>), achieving unauthenticated remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-48909 grants unauthenticated remote code execution on the target server. This allows attackers to completely compromise the affected Joomla instance and the underlying server, leading to data exfiltration, website defacement, further network penetration, or the deployment of additional malicious payloads such as ransomware. Organizations running JoomShaper SP LMS versions 4.1.3 or earlier, particularly on Joomla CMS versions prior to 5.2.2, are at severe risk of server compromise and potential business disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-48909 immediately:</strong> Upgrade JoomShaper SP LMS to version 4.1.4 or higher to remediate the PHP Object injection vulnerability.</li>
<li><strong>Update Joomla CMS:</strong> Ensure your core Joomla CMS is updated to version 5.2.2 or higher to mitigate the RCE gadget chain, even if the SP LMS extension cannot be immediately patched.</li>
<li><strong>Deploy the Sigma rule in this brief</strong> to your SIEM and tune for your environment to detect exploitation attempts.</li>
<li><strong>Enable webserver access logging:</strong> Ensure comprehensive logging of HTTP requests, including full URI paths and cookie headers, to aid in detecting and investigating exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>webapps</category><category>php</category><category>object-injection</category><category>rce</category><category>webshell</category></item></channel></rss>