Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities

Australia Warns of Global Campaign Targeting Unpatched CMS Platforms with Webshells

HIGH
July 12, 2026
5m read
CyberattackVulnerabilityPatch Management

Related Entities

Products & Tech

WordPress Joomla Craft CMSMaxSite CMSMetInfo CMS

Full Report

Executive Summary

On July 11, 2026, the Australian Cyber Security Centre (ACSC) released a critical alert detailing a large-scale, global cyberattack campaign. Threat actors are systematically exploiting a wide range of known, patched vulnerabilities in popular Content Management Systems (CMS) and their associated plugins. The primary targets include WordPress, Joomla, and Craft CMS. The attackers' main objective is to install webshells on compromised servers, granting them persistent remote access. This campaign has already impacted numerous organizations in Australia and worldwide, particularly small- to medium-sized businesses. The ACSC strongly advises immediate patching and thorough system audits.

Threat Overview

The campaign is characterized by its broad scope and reliance on exploiting old, unpatched vulnerabilities. Attackers are conducting mass scanning operations to identify internet-facing websites running vulnerable versions of CMS platforms or plugins. Once a target is identified, the attackers exploit a known flaw to achieve initial access, with the end goal of uploading a webshell.

A webshell provides a backdoor, allowing the attacker to execute commands on the server, manipulate files, and access databases. This access is then used for various malicious purposes:

  • Website defacement
  • Theft of sensitive data, including user credentials and customer information
  • Using the compromised server to host phishing pages or distribute malware like the Vidar Stealer
  • Pivoting from the web server to attack other systems within the organization's internal network.

The ACSC noted that the use of AI by threat actors may be accelerating their ability to weaponize newly disclosed vulnerabilities, shortening the window for defenders to patch.

Technical Analysis

The campaign leverages a list of 17 specific vulnerabilities. The exploitation of these flaws falls under the MITRE ATT&CK technique T1190 - Exploit Public-Facing Application. The ultimate goal is the installation of a webshell, which corresponds to T1505.003 - Server Software Component: Web Shell.

The targeted vulnerabilities include, but are not limited to:

  • WordPress Plugins: Simple File List (CVE-2026-1357), Ninja Forms (CVE-2026-3844), Breeze Cache (CVE-2026-1969), Gravity Forms (CVE-2025-12352), and others.
  • Joomla Components: JCE editor (CVE-2026-0740).
  • Other CMS: Craft CMS (CVE-2025-34085), MaxSite CMS (CVE-2020-36847), and MetInfo CMS (CVE-2025-7852).

These vulnerabilities range from unauthenticated file uploads to remote code execution and server-side request forgery (SSRF). The fact that many of these have had patches available for months or years indicates a systemic failure in patch management across many organizations.

Impact Assessment

The impact on a compromised organization can be severe. A public-facing website is often the gateway to an organization's digital presence. A breach can lead to significant reputational damage from website defacement or data leaks. The theft of customer data can result in regulatory fines and loss of trust. If the compromised web server is used as a pivot point into the internal network, it can lead to a full-scale enterprise breach, potentially culminating in a ransomware attack. For small and medium businesses with limited security resources, recovering from such an attack can be financially devastating.

IOCs — Directly from Articles

No specific webshell hashes, IP addresses, or C2 domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams should proactively hunt for signs of compromise related to this campaign:

Type
url_pattern
Value
*/wp-content/plugins/*/
Description
Look for suspicious POST requests to plugin directories, especially for file uploads (.php, .phtml).
Type
file_name
Value
*.php
Description
Search for recently created or modified PHP files in unexpected locations, such as image upload directories.
Type
log_source
Value
Web Server Access Logs
Description
Scrutinize logs for requests to known vulnerable endpoints associated with the listed CVEs. Look for unusual user agents or requests from a single IP hitting multiple non-existent pages.
Type
command_line_pattern
Value
`(curl
Description
wget) http:///.sh`

Detection & Response

  • File Integrity Monitoring (FIM): Deploy FIM on web servers to alert on the creation or modification of files in web directories, especially script files like .php.
  • Log Analysis: Ingest web server and CMS application logs into a SIEM. Create rules to detect exploitation attempts against the listed CVEs and to identify common webshell activity patterns (e.g., a POST request to a .jpg file that is later executed). This is an application of D3-NTA - Network Traffic Analysis.
  • Vulnerability Scanning: Regularly scan public-facing web applications for the vulnerabilities listed in the ACSC alert and other known flaws.
  • Response: If a webshell is found, isolate the server immediately. Capture a forensic image for analysis. Examine logs to determine the extent of the compromise and identify any lateral movement before restoring from a known-good backup.

Mitigation

The most critical mitigation is timely patch management.

  1. Patch Immediately: Apply all available security updates for your CMS core, themes, and plugins. This is the primary defense and aligns with M1051 - Update Software.
  2. Harden Configuration: Disable file uploads in areas where they are not necessary. Restrict script execution permissions in upload directories. This is a form of M1022 - Restrict File and Directory Permissions.
  3. Web Application Firewall (WAF): Deploy a WAF to block common attack patterns and virtual patch against known vulnerabilities until official patches can be applied.
  4. Network Segmentation: Isolate web servers from the internal corporate network to prevent attackers from pivoting if a server is compromised. This aligns with M1030 - Network Segmentation.
  5. Remove Unused Plugins: Uninstall and delete any themes or plugins that are not actively in use to reduce the potential attack surface.

Timeline of Events

1
July 11, 2026
The Australian Cyber Security Centre (ACSC) issues an alert about a mass exploitation campaign targeting CMS platforms.
2
July 12, 2026
This article was published

MITRE ATT&CK Mitigations

The most effective mitigation is to promptly apply security patches for the CMS core, plugins, and themes.

Hardening web server configurations to prevent script execution in upload directories can block webshells from running.

Isolating web servers from the internal network contains the breach and prevents lateral movement.

Using a Web Application Firewall (WAF) can provide a layer of defense by filtering malicious requests before they reach the vulnerable application.

Timeline of Events

1
July 11, 2026

The Australian Cyber Security Centre (ACSC) issues an alert about a mass exploitation campaign targeting CMS platforms.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

acsccmswordpressjoomlawebshellvulnerabilitypatch management

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.