July 14, 2026
Global CMS Exploitation Campaign and Security Mitigation Guide
Intro

By SOCFortress
2 min read
Intro
A sophisticated, large-scale exploitation campaign is currently sweeping across the globe, with a sharp focus on Australian Content Management Systems (CMS) like WordPress, Joomla, and Craft CMS. This isn't a series of targeted strikes against high-value corporations; it is a wide-net, highly automated operation. Attackers are using machine-speed tools to find any open door, turning the digital presence of local Australian businesses into staging grounds for deeper incursions.
Webshells
The ultimate objective of this campaign is the quiet deployment of "webshells." A webshell is a malicious script or tool installed on a web server to provide attackers with permanent remote access. Because these tools sit within your website's existing file structure, they are invisible to the casual observer and incredibly difficult to detect without dedicated monitoring.
According to the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), once a webshell is embedded, attackers leverage it for four primary, high-impact purposes:
- Website Defacement or Disruption: Changing your site's content or taking it offline to damage your brand.
- Credential Harvesting: Silently capturing usernames and passwords entered by your customers or staff.
- Malware Distribution: Using your legitimate domain to host and spread malware to unsuspecting visitors.
- Network Pivoting: Using the compromised server as a beachhead to move laterally into your broader corporate network.
Add-ons are the Primary Gateways
The current campaign highlights a critical architectural truth: the "attack surface" is rarely the core CMS software itself, but rather the sprawling ecosystem of plugins and themes. Attackers are exploiting a diverse array of flaws, ranging from unauthenticated file uploads and remote code execution to more complex levers like server-side request forgery (SSRF) and deserialization.
Representative examples currently being exploited include:
- Simple File List (WordPress): CVE-2025–34085
- Ninja Forms (WordPress): CVE-2026–0740
- Gravity Forms (WordPress): CVE-2025–12352
- Craft CMS: CVE-2025–32432
- Joomla JCE: CVE-2026–48907
These are "old-school" vulnerability types being exploited with "new-school" efficiency. It serves as a reminder that the convenience of a new plugin often comes with a hidden security debt that must be managed.
The "Read-Only" Fortress: Stopping Malice at the Gate
One of the most effective defensive "pro-tips" for website owners is also one of the most underutilized: proactive directory management. By default, most web directories are left open for writing to make updates easy. However, this is exactly what allows a webshell to be saved to your server.
Configuring web directories as read-only can effectively neuter an automated attack. If an attacker's script cannot write a new file to the directory, the exploitation chain breaks. While this necessitates a more formal process for legitimate updates, the security payoff is massive.
Furthermore, a sophisticated "Strategist" move involves monitoring for "child processes." When a webshell executes a command, it typically spawns a process off the main webserver. By implementing application control to restrict the execution of unauthorized software and child processes, organizations can kill an attack even if the initial file upload was successful.
Old Vulnerabilities, New Speed
There is a frustrating irony at the heart of this global campaign: almost every vulnerability being exploited has a patch available. We aren't seeing a wave of "zero-day" mysteries; we are seeing a failure to address "known-knowns."
To combat this, the ASD's ACSC recommends a shift in how we think about responsibility:
- For Self-Managed Infrastructure: Automate patching wherever the risk of a faulty update is low. If you cannot patch immediately, the plugin must be disabled.
- For the Risk-Averse: Move to managed cloud services where the provider is responsible for remediating vulnerabilities. This shifts the "shared responsibility" to experts who are equipped to move at the machine-speed required by the current threat landscape.
If you suspect your website has been impacted or need to report a cyber security incident, visit the official reporting channel at www.cyber.gov.au/report.