Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Home/Threats/ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
Threats

ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites

Key Takeaways A widespread exploitation campaign is targeting numerous Content Management Systems (CMS) and their plugins globally. Attackers are deploying webshells on compromised web servers,...

Emy Elsamnoudy
Emy Elsamnoudy
July 9, 2026 4 Min Read
2 0

Key Takeaways

  • A widespread exploitation campaign is targeting numerous Content Management Systems (CMS) and their plugins globally.
  • Attackers are deploying webshells on compromised web servers, granting them persistent remote control.
  • The campaign leverages a combination of known vulnerabilities, many of which have existing patches.
  • Small and medium-sized businesses are particularly at risk, with Australian entities specifically highlighted by the ACSC.
  • The Australian Signals Directorate’s Cyber Security Centre (ACSC) has issued a critical alert, urging immediate patching and defensive measures.

Widespread CMS Exploitation Campaign Deploying Webshells Globally

A significant cyber offensive is underway, transforming various Content Management Systems (CMS) into launchpads for attackers. This broad-scale hacking campaign is actively compromising web servers worldwide, often without immediate detection, by implanting malicious webshells.

Table Of Content

  • Key Takeaways
  • Widespread CMS Exploitation Campaign Deploying Webshells Globally
  • Attackers Chaining Known Vulnerabilities
  • Affected Platforms and Plugins
  • What You Should Do

Small and medium-sized businesses, including those in Australia and other regions, are seeing their web infrastructure silently hijacked. The extensive scope of this operation has prompted the Australian Signals Directorate’s Cyber Security Centre (ACSC) to issue a critical alert, highlighting the severe threat posed by these persistent backdoors.

At the core of this campaign is the deployment of webshells. Once successfully installed on a vulnerable server, a webshell provides attackers with covert remote access, allowing them to control the compromised website as if they had direct keyboard access. This unauthorized control enables malicious activities such as defacing web pages, exfiltrating sensitive login credentials, distributing malware, or establishing a foothold for deeper network intrusions, as detailed in an ACSC advisory.

Attackers Chaining Known Vulnerabilities

Analysts at the ACSC have meticulously tracked this campaign, observing its impact across numerous CMS platforms and associated plugins. Their investigation reveals a sophisticated approach where attackers are not relying on a single vulnerability but are instead exploiting a combination of known flaws to maximize their reach and effectiveness.

The vulnerabilities being leveraged encompass a range of critical weaknesses, including unauthenticated file uploads, remote code execution (RCE), server-side request forgery (SSRF), and unsafe deserialization. Many of these flaws have had publicly available patches for some time, making the widespread exploitation particularly alarming for organizations that have not maintained up-to-date software.

ASD’s ACSC said in a report shared with Cyber Security News (CSN) that this campaign reflects a concerning trend: the rapidly shrinking window between vulnerability disclosure and active exploitation. The agency also referenced a recent joint statement from the Five Eyes cyber security agencies, which warned that advancements in artificial intelligence are likely accelerating the speed and expanding the scale of such malicious operations.

Affected Platforms and Plugins

This exploitation wave targets a diverse array of web software. Specific WordPress plugins identified as targets include Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, and GutenKit or Hunk Companion. Beyond the WordPress ecosystem, standalone CMS platforms such as Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE are also being actively exploited.

Attackers are employing automated scanning techniques to scour the internet for any web server running a vulnerable version of these platforms or plugins. Upon identifying a weakness, a webshell is injected into the target’s file system, establishing persistent remote access. This compromised server then becomes a tool for further nefarious activities, including website defacement, credential theft, malware distribution, or as a pivot point to infiltrate deeper into an organization’s internal network.

The distinguishing characteristic of this campaign is not the discovery of new, zero-day exploits, but rather the sheer breadth of its targeting. By casting a wide net across a multitude of CMS ecosystems instead of focusing on a single platform, attackers significantly increase their chances of finding unpatched targets, exploiting the common lag in security updates across the internet.

What You Should Do

  • Identify and Remove Webshells: Immediately inspect your CMS directory for any unfamiliar files and analyze web access logs for suspicious requests targeting common webshell paths. Any server found with a webshell should be considered fully compromised.
  • Isolate and Investigate: Isolate compromised servers from your network. Conduct a thorough audit of authentication logs and network traffic to detect any signs of lateral movement within your infrastructure. Trace back the intrusion to understand the initial point of compromise.
  • Restore from Clean Backups: Once the affected environment has been thoroughly cleaned and all vulnerabilities patched, restore the website from a known good, clean backup.
  • Prioritize Patching: Regularly update all CMS software, themes, and plugins. Since most exploited vulnerabilities have available patches, timely updates are the most critical defense.
  • Disable Vulnerable Components: If a vulnerability is publicly disclosed for a plugin or component you use, disable it immediately if a patch is not yet available or cannot be applied instantly.
  • Harden Web Server Configurations: Configure web directories as read-only where possible. Restrict file execution permissions to only necessary files and paths. Implement monitoring for unexpected child processes originating from the web server.
  • Segment Networks: Implement strict network segmentation to limit communication between public-facing websites and internal systems. This reduces the risk of a compromised website leading to a broader organizational breach.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitMalwarePatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us