Infosecurity

Global CMS Exploitation Campaign: Australian Cyber Agency Warns SMBs of ‘Highly Scaled’ Attacks

Published

on

Mass Scanning and Webshell Deployment Hit CMS Platforms Worldwide

Australian cybersecurity authorities have issued an urgent alert about a global campaign targeting content management systems. The Australian Cyber Security Centre (ACSC) described the effort as “highly scaled,” warning that attackers are aggressively scanning websites for unpatched flaws.

In a July 9 update, the ACSC confirmed that many small and midsize businesses in Australia have been affected. But this is not a localized problem. The campaign is global, and the tactics are blunt: scan, find a vulnerability, drop a webshell, and move on.

“Malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins,” the ACSC said in its advisory.

The vulnerabilities being exploited fall into familiar categories: unauthenticated file upload, remote code execution, server-side request forgery, and deserialization flaws. Most of the CVEs in play are from 2025 or 2026 — recent enough that many site owners may not have patched.

Affected platforms include WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. The ACSC noted that the speed of scanning and exploitation suggests attackers may be using offensive AI-powered tooling.

That observation aligns with a rare joint statement from the Five Eyes intelligence agencies late last month. They warned that frontier AI will “fundamentally” transform the threat landscape — and that transformation is happening “within months,” not years.

What Attackers Do With a Webshell

A webshell is a small piece of malicious code uploaded to a web server. Once in place, it gives the attacker remote access to the CMS instance. From there, the possibilities are grim.

Threat actors can:

  • Deface websites
  • Capture user credentials through fake login pages
  • Upload additional malware
  • Use the web server as a foothold for broader network compromise

For an SMB running an outdated plugin, a single overlooked patch can lead to a full network breach. The ACSC stressed that any server hosting a webshell should be treated as fully compromised.

ACSC Advice: How to Check for Webshells and Recover

The ACSC published a detailed list of steps for website owners. The advice is practical and direct. If you suspect your site has been hit, here is what to do:

  • Inspect the CMS for webshells and vulnerable plugins
  • Examine web access logs for IP addresses making GET or POST requests to any webshell paths
  • Treat servers with webshells as compromised — isolate them immediately
  • Audit authentication and check network logs for malicious events
  • Trace historical web requests linked to initial exploitation and webshell deployment
  • Review network logs for traffic to known malicious IP addresses
  • Investigate logging and hosts for signs of persistence, lateral movement, or other malicious actions (new accounts, exfiltration attempts, malware deployment)
  • Patch vulnerable systems to prevent reinfection, and remove or quarantine webshells or other malware
  • Restore compromised websites from recent known-good backups

That is a lot of work. But the alternative — leaving a webshell in place — is worse.

Proactive Security: Patch, Monitor, Restrict

The ACSC also urged CMS owners to get ahead of the problem. Keeping software up to date is the single most effective step. But it is not enough on its own.

Site administrators should monitor and block unexpected file creation, especially in upload directories. Restricting file and path access limits what an attacker can do even if they find a foothold. Monitoring for new or unusual processes on the server can catch a webshell before it is used.

Finally, limiting broader network access from the web server reduces the blast radius. If a CMS is compromised, the attacker should not be able to pivot to the database server or internal file shares.

Five Eyes: AI Is Accelerating the Threat

The ACSC’s mention of possible AI-powered tooling echoes the broader Five Eyes warning. The intelligence alliance — Australia, Canada, New Zealand, the United Kingdom, and the United States — rarely issues joint statements. When it does, the cybersecurity world pays attention.

Their late-June statement said frontier AI will “fundamentally” change the threat landscape within months. Automated vulnerability scanning, payload generation, and evasion techniques are all areas where AI can give attackers an edge.

For defenders, the message is clear: the pace of attacks is not slowing down. It is accelerating.

For more on protecting your site, see our guide on securing WordPress against automated attacks and our breakdown of recent CMS zero-day vulnerabilities.

The ACSC advisory is a reminder that no site is too small to be targeted. Attackers are scanning everything. If your CMS is not patched, it is only a matter of time before they find it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version