Overview
- Australia’s cyber agency has alerted that a large, ongoing campaign is scanning and exploiting known flaws in popular content management systems to install webshells that give attackers persistent server access.
- The campaign targets specific products and plugins including WordPress extensions, Joomla JCE, Craft, MaxSite and MetInfo using flaws that allow unauthenticated file uploads, remote code execution or server-side request forgery.
- Webshells let attackers run commands, modify files, steal credentials, host phishing or malware and use compromised web servers to pivot into internal networks, a risk that is especially severe for small and medium businesses with limited security teams.
- The ACSC and industry sources urge immediate patching of CMS cores, themes and plugins, exhaustive log and file inspections, isolation and forensic imaging of any compromised hosts, removal of unused plugins and restoration from known-good backups.
- Authorities noted no actionable IoCs were published in the advisory, which raises reliance on patch management and behavioral detection, and warned that faster, possibly AI-enabled exploitation could shrink the time available to defend sites.