{"slug": "australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms", "title": "Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities", "summary": "The Australian Cyber Security Centre (ACSC) issued a critical alert on July 11, 2026, about a global cyberattack campaign exploiting known, patched vulnerabilities in Content Management Systems (CMS) and plugins. Threat actors are mass-scanning for unpatched websites to install webshells, enabling server compromise, data theft, and potential ransomware. The ACSC noted that AI may be accelerating attackers' ability to weaponize newly disclosed vulnerabilities, reducing the window for defenders to patch.", "body_md": "*Originally published on CyberNetSec.*\n\nOn July 11, 2026, the ** Australian Cyber Security Centre (ACSC)** released a critical alert detailing a large-scale, global cyberattack campaign. Threat actors are systematically exploiting a wide range of known, patched vulnerabilities in popular Content Management Systems (CMS) and their associated plugins. The primary targets include\n\nThe campaign is characterized by its broad scope and reliance on exploiting old, unpatched vulnerabilities. Attackers are conducting mass scanning operations to identify internet-facing websites running vulnerable versions of CMS platforms or plugins. Once a target is identified, the attackers exploit a known flaw to achieve initial access, with the end goal of uploading a webshell.\n\nA webshell provides a backdoor, allowing the attacker to execute commands on the server, manipulate files, and access databases. This access is then used for various malicious purposes:\n\nThe ACSC noted that the use of AI by threat actors may be accelerating their ability to weaponize newly disclosed vulnerabilities, shortening the window for defenders to patch.\n\nThe campaign leverages a list of 17 specific vulnerabilities. The exploitation of these flaws falls under the MITRE ATT&CK technique [ T1190 - Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/). The ultimate goal is the installation of a webshell, which corresponds to\n\n`T1505.003 - Server Software Component: Web Shell`\n\nThe targeted vulnerabilities include, but are not limited to:\n\n`CVE-2026-1357`\n\n), Ninja Forms (`CVE-2026-3844`\n\n), Breeze Cache (`CVE-2026-1969`\n\n), Gravity Forms (`CVE-2025-12352`\n\n), and others.`CVE-2026-0740`\n\n).`CVE-2025-34085`\n\n), MaxSite CMS (`CVE-2020-36847`\n\n), and MetInfo CMS (`CVE-2025-7852`\n\n).These vulnerabilities range from unauthenticated file uploads to remote code execution and server-side request forgery (SSRF). The fact that many of these have had patches available for months or years indicates a systemic failure in patch management across many organizations.\n\nThe impact on a compromised organization can be severe. A public-facing website is often the gateway to an organization's digital presence. A breach can lead to significant reputational damage from website defacement or data leaks. The theft of customer data can result in regulatory fines and loss of trust. If the compromised web server is used as a pivot point into the internal network, it can lead to a full-scale enterprise breach, potentially culminating in a ransomware attack. For small and medium businesses with limited security resources, recovering from such an attack can be financially devastating.\n\nNo specific webshell hashes, IP addresses, or C2 domains were mentioned in the source articles.\n\nSecurity teams should proactively hunt for signs of compromise related to this campaign:\n\n| Type | Value | Description |\n|---|---|---|\n| url_pattern | `*/wp-content/plugins/*/` |\nLook for suspicious POST requests to plugin directories, especially for file uploads (`.php` , `.phtml` ). |\n| file_name | `*.php` |\nSearch for recently created or modified PHP files in unexpected locations, such as image upload directories. |\n| log_source | `Web Server Access Logs` |\nScrutinize logs for requests to known vulnerable endpoints associated with the listed CVEs. Look for unusual user agents or requests from a single IP hitting multiple non-existent pages. |\n| command_line_pattern | `(curl | wget) http:///.sh` |\n\n`.php`\n\n.`.jpg`\n\nfile that is later executed). This is an application of `D3-NTA - Network Traffic Analysis`\n\nThe most critical mitigation is timely patch management.\n\n`M1051 - Update Software`\n\n`M1022 - Restrict File and Directory Permissions`\n\n`M1030 - Network Segmentation`", "url": "https://wpnews.pro/news/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms", "canonical_source": "https://dev.to/netsecops_io/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms-vulnerabilities-395e", "published_at": "2026-07-12 19:24:45+00:00", "updated_at": "2026-07-12 19:43:59.186533+00:00", "lang": "en", "topics": ["ai-safety"], "entities": ["Australian Cyber Security Centre", "ACSC", "MITRE ATT&CK", "Ninja Forms", "Breeze Cache", "Gravity Forms", "MaxSite CMS", "MetInfo CMS"], "alternates": {"html": "https://wpnews.pro/news/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms", "markdown": "https://wpnews.pro/news/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms.md", "text": "https://wpnews.pro/news/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms.txt", "jsonld": "https://wpnews.pro/news/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms.jsonld"}}