Key Takeaways
- The Australian Cyber Security Centre (ACSC) issued a warning about a large‑scale, global scanning campaign targeting vulnerabilities in popular content management systems (CMS).
- Attackers are exploiting unauthenticated file‑upload, remote code execution, server‑side request forgery, and deserialization flaws to deploy webshells.
- Most of the exploited CVEs date from 2025‑2026 and affect WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE.
- The speed and volume of the activity suggest the possible use of offensive AI‑powered tooling, a trend highlighted by the Five Eyes joint statement.
- ACSC recommends immediate inspection for webshells, log analysis, isolation of compromised servers, thorough forensic investigation, patching, restoration from clean backups, and ongoing hardening measures such as timely updates, file‑creation monitoring, and restricted file‑path access.
Overview of the ACSC Warning
The Australian Cyber Security Centre (ACSC) released an advisory on July 9 alerting owners of content management systems to a “highly scaled” effort to scan for and exploit weaknesses in their products. While many small‑ and medium‑sized businesses (SMBs) in Australia have been observed as victims, the campaign is inherently global, affecting CMS installations worldwide. The notice emphasizes that malicious cyber actors are actively probing websites for opportunities to install webshells, leveraging a range of known vulnerabilities that allow unauthenticated file upload, remote code execution, server‑side request forgery (SSRF), or deserialization. This alert follows a recent joint statement from the Five Eyes intelligence alliance warning that frontier AI will fundamentally reshape the threat landscape within months, suggesting that the observed activity may be aided by emerging offensive AI tools.
Scale and Scope of the Campaign
According to the ACSC, the scanning effort is extensive, with thousands of IP addresses probing CMS endpoints for vulnerable entry points. The campaign’s rapid tempo indicates a coordinated, possibly automated approach rather than isolated, opportunistic attacks. Although the advisory notes a noticeable impact on Australian SMBs—entities that often lack dedicated security teams—the underlying infrastructure being targeted spans multiple continents, indicating that the threat actors have built a broad scanning infrastructure capable of reaching CMS instances irrespective of geographic location. The global nature of the threat underscores the necessity for all CMS administrators, regardless of jurisdiction, to treat the advisory as a call to action.
Technical Details of Exploited Vulnerabilities
The vulnerabilities being leveraged in this campaign primarily fall into four categories: unauthenticated file upload, remote code execution (RCE), server‑side request forgery (SSRF), and insecure deserialization. Unauthenticated file upload permits attackers to place malicious files—such as webshells—directly onto the web server without needing valid credentials. RCE flaws enable the execution of arbitrary code on the host system, often leading to full server compromise. SSRF vulnerabilities allow attackers to coerce the server into making internal requests, potentially exposing internal services or metadata. Finally, deserialization bugs can be abused to execute malicious code during the processing of serialized data. The ACSC notes that many of the CVEs associated with these flaw classes were published in 2025 or 2026, indicating that attackers are focusing on relatively recent disclosures that may still be unpatched in a significant portion of the deployed base.
Common Targeted CMS Platforms
The advisory lists several widely used CMS products that have been observed in the wild as targets of this campaign: WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and the Joomla JCE (Joomla! Content Editor) plugin. WordPress, powering a large‑scale due to its extensive plugin ecosystem, remains a frequent target because outdated plugins often contain the very file‑upload or RCE flaws being exploited. Craft CMS, known for its flexibility, has also shown susceptible components in recent releases. MaxSite and MetInfo CMS, though less prevalent globally, are still present in numerous regional deployments and have been identified in scanning logs. The Joomla JCE plugin, a popular extension for enhancing Joomla’s editing capabilities, has historically harbored vulnerabilities that allow unauthenticated file upload, making it an attractive entry point for attackers seeking to drop webshells.
Role of AI‑Powered Tooling
The ACSC highlights that the velocity and scale of the scanning activity raise the possibility that threat actors are employing offensive AI‑powered tooling. Such tools can autonomously identify vulnerable endpoints, generate tailored exploit payloads, and adapt scanning patterns to evade basic detection mechanisms. The Five Eyes joint statement released shortly before the ACSC advisory warned that frontier AI will “fundamentally” transform the threat landscape “within months,” a prediction that aligns with the observed behavior in this campaign. While definitive proof of AI use has not been presented, the combination of high‑volume scanning, rapid exploitation of newly disclosed CVEs, and minimal human interaction patterns suggests that automation—potentially augmented by machine learning—may be playing a role in the attackers’ workflow.
Potential Impacts of Compromise
Once a webshell is successfully deployed, attackers gain persistent, remote access to the compromised web server. This access can be leveraged for a variety of malicious objectives: defacing the website to spread propaganda or disrupt business operations, harvesting user credentials submitted through login forms, uploading additional malware (such as ransomware or cryptocurrency miners), and using the server as a pivot point to move laterally within the victim’s internal network. The ACSC warns that compromised CMS instances may also serve as footholds for broader network compromise, enabling threat actors to access databases, file shares, or other critical assets housed on the same network segment. The potential for data exfiltration, service disruption, and reputational damage underscores the urgency of timely detection and remediation.
Immediate Response Steps Recommended by the ACSC
Upon suspicion of compromise, the ACSC advises website owners to undertake a series of immediate actions. First, inspect the CMS installation and associated plugins for any unfamiliar or suspicious files that could function as webshells. Second, examine web access logs for IP addresses issuing GET or POST requests to known webshell paths or unusual URLs. Third, treat any server found hosting a webshell as compromised: isolate it from the network, enforce multi‑factor authentication for administrative accounts, and review authentication logs for anomalous login attempts. Fourth, trace historical web requests linked to the initial exploitation and webshell deployment to understand the attack chain. Fifth, review network logs for traffic to or from malicious IP addresses identified during the investigation. Sixth, investigate logging and host artifacts for evidence of persistence—such as newly created user accounts, scheduled tasks, or unexpected service installations—as well as signs of lateral movement or data exfiltration attempts. Seventh, patch all vulnerable CMS core files, themes, and plugins to the latest versions, and remove or quarantine any detected webshells or malware. Eighth, restore the website from a recent, known‑good backup that has been verified to be free of malicious code.
Forensic Investigation and Evidence Collection
A thorough forensic investigation is essential to determine the full extent of the compromise and to support any potential legal or regulatory actions. Investigators should collect volatile memory dumps from affected servers, preserve web server and application logs, and capture network traffic logs (e.g., NetFlow, firewall logs) covering the period before, during, and after the suspected intrusion. File integrity monitoring tools can help identify newly created or modified files within the CMS directory structure. Analyzing the webshell code itself—its functionality, obfuscation techniques, and any embedded command‑and‑control (C2) infrastructure—can reveal attacker motives and possible links to known threat groups. Additionally, reviewing authentication mechanisms for signs of credential theft (e.g., password spraying, token theft) and examining outbound connections for data exfiltration patterns will help build a comprehensive picture of the attack.
Remediation and Recovery Procedures
After containment and evidence collection, the focus shifts to eradication and recovery. All identified vulnerabilities must be patched promptly; administrators should subscribe to vendor security mailing lists or use automated patch management tools to ensure timely updates. Any custom code or third‑party plugins should be reviewed for security flaws, and unnecessary plugins should be disabled or removed. Webshells and other malicious artifacts must be deleted from the file system, and any backdoors—such as hidden admin accounts or altered .htaccess files—must be eliminated. Before returning the server to production, conduct a rigorous security validation: run vulnerability scans, perform penetration testing on the CMS environment, and verify that logging and alerting mechanisms are functioning correctly. Finally, restore services from the clean backup, monitor closely for any signs of reinfection, and consider implementing a web application firewall (WAF) to provide an additional layer of defense against future exploitation attempts.
Proactive Hardening Measures for CMS Environments
To reduce the likelihood of future compromise, the ACSC recommends a set of proactive hardening practices. Keep the CMS core, themes, and plugins up to date, prioritizing patches for known critical vulnerabilities. Implement strict file‑upload controls: whitelist allowed file types, store uploaded files outside the web root, and scan uploads for malicious content. Restrict file‑system permissions to the principle of least privilege, ensuring that the web server process cannot write to executable directories unless absolutely necessary. Disable or restrict dangerous PHP functions (e.g., eval, system, exec) via the disable_functions directive in php.ini. Deploy a WAF with rule sets tailored to CMS‑specific threats, and enable logging of all file‑creation, process‑execution, and authentication events. Regularly review privileged accounts, enforce strong passwords and multi‑factor authentication, and conduct periodic security awareness training for administrators. Finally, maintain an offline, regularly tested backup strategy to ensure rapid recovery should an incident occur.
By heeding the ACSC’s warnings and following the prescribed response and hardening steps, organizations can significantly reduce their exposure to this highly scaled CMS‑targeting campaign and bolster their overall resilience against evolving cyber threats.

