The National Cyber Security Agency (Nacsa) says several Malaysian government websites have been hacked, including the Health Ministry (MOH) portal, through a critical vulnerability in the Joomla content management system.
An advisory published on 26 June via the National Cyber Coordination and Command Centre (NC4) identified the flaw in the Joomla Content Editor (JCE) extension. The vulnerability, tracked as CVE-2026-48907, carries a CVSS score of 10.0, the highest severity rating.
Affected websites include those of the MOH, the Malaysia Co-operative Societies Commission, the Handicraft Development Corporation, and the Women’s Development Department (JPW).
The MOH portal was taken offline after a group calling themselves Mushr00w claimed responsibility for the breach. A defaced landing page displayed the message: “HACKED BY MUSHR00W.”
According to the advisory, the vulnerability allows remote attackers to create rogue CMS editor profiles and execute arbitrary PHP code, resulting in full pre-authentication remote code execution on the affected web server. Attackers can establish persistent backdoor access, potentially leading to data theft, defacement, lateral movement, and complete takeover of the hosting environment.
“The hack is believed to be due to vulnerabilities mentioned in the advisory. MOH has been informed and is taking the necessary mitigation actions,” a Nacsa spokesperson said.
Nacsa is urging all organisations using the Joomla Content Editor to update to version 2.9.99.6, or at minimum 2.9.99.5. Free patches are available for older deployments that cannot meet the system requirements for the latest versions.
Affected National Critical Information Infrastructure (NCII) entities are advised to report incidents to NC4 as required under Act 854 for national coordination and intelligence sharing.
The MOH website remained inaccessible at the time of writing. The ministry said it was working closely with relevant agencies to restore the portal and strengthen system security.
Source: The Star
