Skip to main content
Emerging ThreatsMalware & Ransomware

Australian Cyber Agency Warns of Global CMS Exploitation Campaign

Small business office with computers and router, showing vulnerability through a large window overlooking a generic…

“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted,” the Australian Cyber Security Centre (ACSC) warns.

ACSC alert: scope and immediate risk

The ACSC issued an advisory describing an active, global campaign that is scanning for vulnerable CMS installations and plugins and deploying webshells to compromised websites. According to the government agency, many Australian businesses — particularly small- to medium-sized organizations — have already been affected. The agency says attackers are using the resulting persistent access to disrupt services, steal credentials, install additional malware, and move deeper into victim networks.

Exploited CMS platforms and tracked CVEs

The ACSC lists multiple CMS platforms and plugins that the campaign leverages. The products and identifiers named in the advisory are:

  • Simple File List (WordPress) – CVE-2025-34085/CVE-2020-36847
  • WavePlayer (WordPress) – CVE-2025-12057
  • BerqWP (WordPress) – CVE-2025-7443
  • WPBookit (WordPress) – CVE-2025-7852
  • Ninja Forms (WordPress) – CVE-2026-0740
  • ThemeREX Addons (WordPress) – CVE-2026-1969
  • Breeze Cache (WordPress) – CVE-2026-3844
  • pay-uz (WordPress) – CVE-2026-31843
  • ACF Extended (WordPress) – CVE-2025-13486
  • Sneeit Framework – CVE-2025-6389
  • WPvivid Backup (WordPress) – CVE-2026-1357
  • Gravity Forms (WordPress) – CVE-2025-12352
  • GutenKit/Hunk Companion (WordPress) – likely CVE-2024-9234
  • Craft CMS – CVE-2025-32432
  • MaxSite CMS – CVE-2026-3395
  • MetInfo CMS – CVE-2026-29014
  • Joomla JCE – CVE-2026-48907

Webshells, attacker objectives, and AI acceleration

The ACSC emphasizes that the campaign’s primary artifact is webshells: small pieces of code that deliver persistent access to a compromised website. The agency lists specific operational consequences tied to webshell deployment — disruption of services, credential theft, planting of additional malware, and lateral movement deeper into network environments. The advisory also notes the campaign might be supported by AI, which the ACSC says typically helps threat actors accelerate attacks and scale exploitation of emerging flaws.

Practical mitigations for website administrators

The ACSC sets out concrete steps for defenders. Administrators are recommended to:

  • Apply the latest security updates for CMS software, themes, and plugins;
  • Remove unused components;
  • Enable automatic updates where possible;
  • Make web directories read-only when possible;
  • Monitor for unauthorized file creation;
  • Restrict access to sensitive directories;
  • Block unexpected spawning of child processes on the web server.

What this means for small- to medium-sized Australian businesses, security teams, and plugin maintainers

Small- to medium-sized Australian businesses: The ACSC states many in this group have already been impacted; rapid patching and removal of unused plugins and themes are immediate steps the advisory recommends.

Security teams: The report highlights a detection gap cited in a Picus whitepaper, noting “Security teams log 54% of successful attacks and alert on just 14%,” with the remainder moving through environments unseen — a statistic the whitepaper links to the value of testing SIEM and EDR detection rules through breach-and-attack simulation.

Plugin and CMS maintainers: Multiple named plugins and frameworks appear on the ACSC list. Maintainers for those components are directly implicated by the advisory’s enumeration of exploited CVEs and thus face pressure to publish fixes and coordinate disclosure and update guidance.

The ACSC advisory ties a long list of tracked CVEs and specific products to active webshell deployments and warns of AI-enabled scaling. For website operators the prescription is literal and immediate: patch, remove the unused, harden directories, and hunt for unauthorized files. How quickly organizations follow those steps will determine whether webshells remain a foothold — and whether this campaign moves on to exploit the next set of flaws.

Original story