Attacks are accelerating against a now-patched Joomla zero-day vulnerability, putting pressure on site administrators to update quickly.

The patch was published on Monday, but not before attacks were spotted in the wild and carried out for at least two days, said researchers at security company Sucuri.

The zero-day vulnerability affects all Joomla versions from 1.5 to 3.4; hotfixes are available for older versions of the content management system, such as 2.5 and earlier, that have already been put on end-of-life.

“…The attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution,” said Sucuri’s Daniel Cid in an advisory posted Monday.

Cid said that attacks began Saturday from the IP address 74[.]3[.]170[.]33 with two more IPs joining in on Sunday: 146[.]0[.]72[.]83 and 194[.]28[.]174[.]106.

“Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked,” Cid said. “That means that probably every other Joomla site out there is being targeted as well.”

Sucuri recommends filtering logs for either of these IP addresses or looking for “JDatabaseDriverMysqli” or “O:” in the User Agent.

“If you find them, consider your Joomla site compromised and move to the remediation / incident response phase,” Cid said.

This is the second similar incident where a vulnerability was disclosed and patched in Joomla that was quickly under attack. In October, researchers discovered a SQL injection flaw in the software that attackers were taking advantage of within hours, in particular against two popular sites running on the CMS.

Sucuri, for example, found two scans, one looking for SQL syntax errors caused by the vulnerability, and a second requesting the admin user session from a table on the CMS, which would allow them to run their exploit.