ACSC Issues Global CMS Exploitation Alert
The Australian Cyber Security Centre (ACSC) has published an advisory warning organizations worldwide about an active, large-scale exploitation campaign targeting vulnerable content management systems (CMS) and their plugins. The campaign is not Australia-specific — threat actors are conducting broad, opportunistic scanning across the internet for unpatched CMS installations.
What's Being Targeted
The campaign primarily focuses on:
- WordPress — including popular plugins such as file managers, form builders, e-commerce extensions, and SEO tools with known unpatched vulnerabilities
- Joomla — particularly older installations running components with deserialization and SQL injection flaws
- Drupal — sites that have not applied security updates for core and contributed modules
Attackers are leveraging publicly available exploit code and automated scanning tools to identify vulnerable installations at scale. Once a vulnerable endpoint is identified, exploitation is often fully automated.
Observed Threat Actor Behaviors
According to the ACSC advisory, threat actors observed in this campaign are conducting:
- Automated vulnerability scanning — mass scanning for known CVEs in CMS cores and plugins
- Credential stuffing — attempting stolen or brute-forced admin credentials against CMS login pages
- Web shell deployment — uploading PHP web shells for persistent access after initial exploitation
- Defacement operations — replacing website content with politically or ideologically motivated messaging
- Data exfiltration — harvesting user databases, email lists, and stored credentials
- Botnet recruitment — compromised servers are enrolled in DDoS and spam infrastructure
Why CMS Platforms Are High-Value Targets
Content management systems represent an outsized attack surface for several reasons:
- Massive install base — WordPress alone powers over 40% of all websites globally
- Plugin ecosystem complexity — thousands of third-party plugins, many with inconsistent security patching
- Delayed patching culture — many site owners do not apply updates promptly, especially for plugins
- Shared hosting concentration — a single compromised hosting account can expose dozens of sites
Recommended Actions
The ACSC recommends organizations take the following steps immediately:
For CMS Administrators
- Update everything: Apply all available security updates to CMS core, themes, and plugins
- Audit installed plugins: Remove inactive, unsupported, or unrecognized plugins
- Enable WAF: Deploy a Web Application Firewall to filter malicious requests
- Restrict admin access: Limit wp-admin, administrator, and similar paths to known IP ranges where feasible
- Enable MFA: Require multi-factor authentication on all admin accounts
- Review user accounts: Audit for unauthorized admin accounts added by attackers
- Monitor logs: Watch for unusual POST requests to plugin directories and admin paths
Indicators to Watch For
- Unexpected files in
/wp-content/uploads/or plugin directories - New administrator accounts not created by your team
- Outbound connections from the web server to unknown external IPs
- Modified
wp-config.phpor.htaccessfiles - Unexplained website defacement or content changes
Global Scope
While the advisory originates from Australia's cyber authority, the ACSC explicitly notes this campaign is global in scope. Similar warnings have been coordinated with counterpart agencies in the Five Eyes intelligence alliance. Organizations worldwide operating CMS platforms should treat this as an active threat requiring immediate attention.