ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
Key Takeaways A widespread exploitation campaign is targeting numerous Content Management Systems (CMS) and their plugins globally. Attackers are deploying webshells on compromised web servers,...
Key Takeaways
- A widespread exploitation campaign is targeting numerous Content Management Systems (CMS) and their plugins globally.
- Attackers are deploying webshells on compromised web servers, granting them persistent remote control.
- The campaign leverages a combination of known vulnerabilities, many of which have existing patches.
- Small and medium-sized businesses are particularly at risk, with Australian entities specifically highlighted by the ACSC.
- The Australian Signals Directorate’s Cyber Security Centre (ACSC) has issued a critical alert, urging immediate patching and defensive measures.
Widespread CMS Exploitation Campaign Deploying Webshells Globally
A significant cyber offensive is underway, transforming various Content Management Systems (CMS) into launchpads for attackers. This broad-scale hacking campaign is actively compromising web servers worldwide, often without immediate detection, by implanting malicious webshells.
Table Of Content
Small and medium-sized businesses, including those in Australia and other regions, are seeing their web infrastructure silently hijacked. The extensive scope of this operation has prompted the Australian Signals Directorate’s Cyber Security Centre (ACSC) to issue a critical alert, highlighting the severe threat posed by these persistent backdoors.
At the core of this campaign is the deployment of webshells. Once successfully installed on a vulnerable server, a webshell provides attackers with covert remote access, allowing them to control the compromised website as if they had direct keyboard access. This unauthorized control enables malicious activities such as defacing web pages, exfiltrating sensitive login credentials, distributing malware, or establishing a foothold for deeper network intrusions, as detailed in an ACSC advisory.
Attackers Chaining Known Vulnerabilities
Analysts at the ACSC have meticulously tracked this campaign, observing its impact across numerous CMS platforms and associated plugins. Their investigation reveals a sophisticated approach where attackers are not relying on a single vulnerability but are instead exploiting a combination of known flaws to maximize their reach and effectiveness.
The vulnerabilities being leveraged encompass a range of critical weaknesses, including unauthenticated file uploads, remote code execution (RCE), server-side request forgery (SSRF), and unsafe deserialization. Many of these flaws have had publicly available patches for some time, making the widespread exploitation particularly alarming for organizations that have not maintained up-to-date software.
ASD’s ACSC said in a report shared with Cyber Security News (CSN) that this campaign reflects a concerning trend: the rapidly shrinking window between vulnerability disclosure and active exploitation. The agency also referenced a recent joint statement from the Five Eyes cyber security agencies, which warned that advancements in artificial intelligence are likely accelerating the speed and expanding the scale of such malicious operations.
Affected Platforms and Plugins
This exploitation wave targets a diverse array of web software. Specific WordPress plugins identified as targets include Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, and GutenKit or Hunk Companion. Beyond the WordPress ecosystem, standalone CMS platforms such as Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE are also being actively exploited.
Attackers are employing automated scanning techniques to scour the internet for any web server running a vulnerable version of these platforms or plugins. Upon identifying a weakness, a webshell is injected into the target’s file system, establishing persistent remote access. This compromised server then becomes a tool for further nefarious activities, including website defacement, credential theft, malware distribution, or as a pivot point to infiltrate deeper into an organization’s internal network.
The distinguishing characteristic of this campaign is not the discovery of new, zero-day exploits, but rather the sheer breadth of its targeting. By casting a wide net across a multitude of CMS ecosystems instead of focusing on a single platform, attackers significantly increase their chances of finding unpatched targets, exploiting the common lag in security updates across the internet.
What You Should Do
- Identify and Remove Webshells: Immediately inspect your CMS directory for any unfamiliar files and analyze web access logs for suspicious requests targeting common webshell paths. Any server found with a webshell should be considered fully compromised.
- Isolate and Investigate: Isolate compromised servers from your network. Conduct a thorough audit of authentication logs and network traffic to detect any signs of lateral movement within your infrastructure. Trace back the intrusion to understand the initial point of compromise.
- Restore from Clean Backups: Once the affected environment has been thoroughly cleaned and all vulnerabilities patched, restore the website from a known good, clean backup.
- Prioritize Patching: Regularly update all CMS software, themes, and plugins. Since most exploited vulnerabilities have available patches, timely updates are the most critical defense.
- Disable Vulnerable Components: If a vulnerability is publicly disclosed for a plugin or component you use, disable it immediately if a patch is not yet available or cannot be applied instantly.
- Harden Web Server Configurations: Configure web directories as read-only where possible. Restrict file execution permissions to only necessary files and paths. Implement monitoring for unexpected child processes originating from the web server.
- Segment Networks: Implement strict network segmentation to limit communication between public-facing websites and internal systems. This reduces the risk of a compromised website leading to a broader organizational breach.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.