Australiancybersecuritymagazine

ACSC warns of large-scale campaign exploiting CMS vulnerabilities in Australia


The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued an alert about a “large-scale exploitation campaign” targeting web content management systems (CMS), warning that many Australian businesses have already been impacted.

The ACSC said the campaign involves attackers scanning websites for vulnerabilities in CMS platforms and plugins to deploy webshells, which can provide remote access and control of compromised web servers. The agency said affected organisations should treat any server with an identified webshell as compromised and isolate it while conducting an audit for malicious activity.

The alert is aimed at Australian website owners and managers, including small businesses, and is intended for a technical audience. The ACSC warned that vulnerabilities being exploited include issues that can enable unauthenticated file upload, remote code execution, server-side request forgery and deserialisation attacks.

According to the ACSC, compromised web servers may be used for website defacement or disruption, credential capture and data theft, delivery of malware to scam website users, or as a foothold for broader network compromise.

The ACSC listed software, plugins and CVEs it said are being exploited in the campaign, including WordPress plugins Simple File List (CVE-2025-34085/CVE-2020-36847), WavePlayer (CVE-2025-12057), BerqWP (CVE-2025-7443), WPBookit (CVE-2025-7852), Ninja Forms (CVE-2026-0740), ThemeREX Addons (CVE-2026-1969), Breeze Cache (CVE-2026-3844), pay-uz (CVE-2026-31843), ACF Extended (CVE-2025-13486), Sneeit Framework (CVE-2025-6389), WPvivid Backup (CVE-2026-1357), Gravity Forms (CVE-2025-12352), GutenKit/Hunk Companion (listed as likely CVE-2024-9234), along with Craft CMS (CVE-2025-32432), MaxSite CMS (CVE-2026-3395), MetInfo CMS (CVE-2026-29014), and Joomla JCE (CVE-2026-48907).

The agency said the campaign “demonstrates the rapidly evolving cyber risk facing organisations,” and pointed to a recent Five Eyes cyber security agencies statement that said advances in AI are accelerating the speed and scale of cyber operations and reducing the time between vulnerability disclosure and exploitation.

As immediate mitigation, the ACSC recommended website owners inspect CMS environments for webshells and abnormal file changes, review web access logs for suspicious GET or POST requests to webshell paths, and look back historically to identify initial exploitation activity. It also advised reviewing network logs for interactions with identified IP addresses, investigating for persistence and lateral movement, patching vulnerable systems to prevent reinfection, and restoring affected websites from a recent known-good backup where compromise is suspected.

Further protective measures recommended by the ACSC included ensuring website software and plugins are kept up to date, considering automatic patching where appropriate, and disabling plugins with actively exploited vulnerabilities until mitigations are applied. It also advised restricting or monitoring file creation in web directories, limiting access to sensitive files and paths, monitoring for unexpected child processes spawned by web servers, and blocking unnecessary network communication between internet-facing websites and internal corporate systems.

Organisations seeking advice or assistance, or that suspect they have been affected, can report via www.cyber.gov.au/report, the ACSC said.





Source link