Security Affairs
Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Australia Alerts Organizations to Ongoing CMS Exploitation Attacks

Australia warns of a global campaign exploiting CMS flaws to deploy webshells on WordPress, Joomla, and other websites. Australia’s Signals Directorate has issued an alert about a large-scale exploitation campaign actively targeting content management systems (CMS) worldwide, with many small and medium-sized Australian businesses already hit. Attackers are scanning websites for known vulnerabilities, deploying webshells […]

CMS

Australia warns of a global campaign exploiting CMS flaws to deploy webshells on WordPress, Joomla, and other websites.

Australia’s Signals Directorate has issued an alert about a large-scale exploitation campaign actively targeting content management systems (CMS) worldwide, with many small and medium-sized Australian businesses already hit. Attackers are scanning websites for known vulnerabilities, deploying webshells to gain persistent remote access, and using compromised servers as a base for broader attacks.

“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted.” reads the alert published by the Australia’s Signals Directorate.

“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation.”

The list of targeted software covers 17 CVEs across WordPress plugins including Ninja Forms, Gravity Forms, WPvivid Backup, Breeze Cache, and GutenKit, as well as standalone CMS platforms including Craft CMS, Joomla, and MaxSite CMS. All of the vulnerabilities are public and patched — which means every successful attack here is hitting someone who didn’t update.

Below is the list of software, plugins and CVEs being exploited: 

Software/pluginCVE
Simple File List (WordPress)CVE-2025-34085/CVE-2020-36847
WavePlayer (WordPress)CVE-2025-12057
BerqWP (WordPress)CVE-2025-7443
WPBookit (WordPress)CVE-2025-7852
Ninja Forms (WordPress)CVE-2026-0740
ThemeREX Addons (WordPress)CVE-2026-1969
Breeze Cache (WordPress)CVE-2026-3844
pay-uz (WordPress)CVE-2026-31843
ACF Extended (WordPress)CVE-2025-13486
Sneeit FrameworkCVE-2025-6389
WPvivid Backup (WordPress)CVE-2026-1357
Gravity Forms (WordPress)CVE-2025-12352
GutenKit/Hunk Companion (WordPress)Likely CVE-2024-9234
Craft CMSCVE-2025-32432
MaxSite CMSCVE-2026-3395
MetInfo CMSCVE-2026-29014
Joomla JCECVE-2026-48907

“Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers.” continues the alert. “Malicious cyber actors may leverage compromised web servers for several purposes, including:

  • Website defacement or disruption
  • Capturing credentials entered by website users or other data stored on web servers
  • Uploading additional malware to target and scam legitimate website users
  • Using web server access as a pathway for broader network compromise

The pivot-to-broader-network angle is the one that turns a compromised WordPress site into a corporate incident.

The ACSC is connecting this campaign to a trend the Five Eyes agencies flagged recently: AI is shortening the window between vulnerability disclosure and active exploitation.

“This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations.” continues the alert. “The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”

Faster scanning plus faster exploit development means the patch window is shrinking, and campaigns like this one are the evidence.

For anyone running a CMS, the ACSC’s immediate advice is to check your web directories for unexpected files, especially in plugin folders, and review access logs for GET or POST requests to unusual paths.

If a webshell is found, don’t just delete it and move on, trace back through logs to understand the initial exploitation, look for signs of lateral movement or additional accounts created, and restore from a known-good backup before bringing the server back online.

Longer term, the advisory recommends configuring web directories as read-only where possible to block webshell deployment at the filesystem level, monitoring for unexpected child processes spawning off the web server process, and blocking unnecessary network connections between internet-facing servers and internal corporate systems.

Auto-patching is worth enabling where a faulty patch can be rolled back easily. And if a third-party manages your website, the ACSC says point them at this alert and ask them directly what they’re doing about it.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CMS)