VYPR
advisoryPublished Jul 9, 2026· 1 source

ACSC Warns of Large-Scale CMS Exploitation Campaign Deploying Webshells

The Australian Cyber Security Centre (ACSC) has issued a warning about a widespread campaign exploiting numerous Content Management System (CMS) platforms and plugins, leading to the deployment of webshells and significant compromise.

A large-scale hacking campaign is actively targeting websites globally, leveraging vulnerabilities in various Content Management System (CMS) platforms and plugins to deploy webshells. These webshells act as backdoors, granting attackers remote control over compromised servers for malicious purposes such as defacement, credential theft, and further network infiltration. The Australian Cyber Security Centre (ACSC) has identified this campaign, noting that attackers are chaining together known vulnerabilities, including those related to unauthenticated file uploads and remote code execution (RCE), to maximize their reach and impact.

The campaign's broad scope is particularly concerning, as it affects a wide array of CMS software. The ACSC's investigation revealed that attackers are not focusing on a single exploit but are scanning the internet for any site running a vulnerable version of popular platforms and plugins. This includes numerous WordPress plugins such as Simple File List, WavePlayer, Ninja Forms, and Gravity Forms, as well as standalone platforms like Craft CMS, MetInfo CMS, and Joomla JCE. Once a vulnerability is identified, a webshell is deployed, establishing persistent remote access.

Analysts from the ACSC highlighted that this campaign reflects a concerning trend of attackers rapidly moving from vulnerability disclosure to active exploitation. This acceleration is partly attributed to the increasing influence of AI in cybersecurity operations, as noted in a recent joint statement from Five Eyes cyber security agencies. The strategy of targeting a diverse range of CMS ecosystems rather than a single platform increases the likelihood of finding and compromising unpatched systems.

The impact of these compromises can be severe. Beyond website defacement and credential theft, attackers can use compromised servers to distribute malware or pivot to other systems within an organization's network. The lack of obvious warning signs means that many small and medium-sized businesses, particularly in Australia and beyond, may be unaware their web servers have been hijacked until significant damage has occurred.

In response, the ACSC has provided clear guidance for website owners. The immediate priority is to inspect CMS directories for unusual files and review web access logs for suspicious activity. Any server found to be running a webshell should be treated as fully compromised, requiring isolation, thorough auditing of logs, and restoration from a known good backup after patching.

For long-term defense, the ACSC strongly recommends keeping all CMS software and plugins updated, as most exploited flaws already have available fixes. Additional protective measures include disabling plugins as soon as vulnerabilities are disclosed, configuring web directories as read-only, restricting file execution permissions, and monitoring for unexpected processes. Organizations should also implement network segmentation to prevent compromised websites from becoming entry points into internal systems.

The breadth of this campaign underscores the persistent threat posed by unpatched vulnerabilities in widely used web software. By chaining known exploits and targeting a diverse set of platforms, attackers are effectively casting a wide net, making it crucial for organizations to maintain robust patch management and security monitoring practices to defend against such widespread exploitation efforts.

Synthesized by Vypr AI