Addressing CMS Vulnerabilities: Australia Warns of AI-Accelerated Global Campaign
australian cyber security centreacsccms vulnerabilitiesai cyber attackswebshellwordpressninja formssimple file listcve-2025-34085cve-2026-0740patching fatiguecybersecurity

Addressing CMS Vulnerabilities: Australia Warns of AI-Accelerated Global Campaign

Beyond Patching: Addressing Persistent CMS Vulnerabilities in an AI-Driven Threat Landscape

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recently issued a stark warning regarding a large-scale campaign exploiting CMS vulnerabilities and their plugins in Australia. This warning underscores the persistent challenge of known flaws, often with available patches, remaining unaddressed. The integration of AI is now accelerating attack speed and scale, fundamentally altering the dynamics of these exploitation campaigns.

Current Exploitation Campaigns

The ACSC's alert confirms a large-scale exploitation campaign. Attackers are actively scanning websites for specific CMS vulnerabilities in popular CMS platforms and their plugins. This includes WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE, among others. For WordPress, targets include plugins like Simple File List, WavePlayer, BerqWP, Ninja Forms, and Gravity Forms. Many of these vulnerabilities, such as CVE-2025-34085 for Simple File List or CVE-2026-0740 for Ninja Forms, are not zero-days and have had patches available for months.

Once an opening is found, the objective is to deploy a webshell. This typically involves exploiting unauthenticated file upload, remote code execution, server-side request forgery (SSRF), or deserialisation attacks, rather than zero-day exploits. The ACSC reports numerous Australian businesses are already impacted, a pattern consistent with global incident response cases I've observed, including a recent compromise of a regional logistics firm, underscoring its continued effectiveness as an attack vector.

Automated scanning tools relentlessly probe web servers for known CMS vulnerabilities, a common precursor to exploitation.
Automated scanning tools relentlessly probe web servers for

The Webshell: A Gateway to Broader Compromise

The attack chain's straightforward nature significantly contributes to its effectiveness.

Attackers first use automated tools to scan the internet for sites running vulnerable versions of these CMS platforms or their plugins. This is not a targeted approach against a specific company, but a broad sweep for easily exploitable systems.

When a vulnerability like an unauthenticated file upload is identified, they use it to drop a webshell onto the server. A webshell functions as a backdoor—typically a small script, often PHP or ASP, that grants the attacker remote access and control over the compromised web server via a web browser. This allows them to execute commands, browse files, upload additional tools, or modify website content.

Once a webshell is established, the attacker's capabilities expand quickly, leading to a rapid escalation of consequences:

The immediate and most visible outcome is often website defacement or disruption, though this is typically the least damaging. More critically, webshells enable credential capture and data theft; if the web server can access databases or other sensitive information, that data is compromised. Attackers can also inject malicious code into the website, turning legitimate traffic into victims by delivering malware to website users. The most significant concern, however, is the establishment of a foothold for broader network compromise. A webshell on an internet-facing web server can serve as a pivot point, allowing attackers to attempt lateral movement into internal corporate networks in pursuit of more valuable targets. This pattern, where a neglected marketing site becomes the initial entry for a full network compromise, has been observed repeatedly in incident response cases.

The ACSC, in alignment with recent reports from Five Eyes cyber security agencies, notes that AI is accelerating this process. Instead of discovering novel vulnerabilities, AI is primarily enhancing the speed and scale of exploiting existing, known flaws. This shrinking interval between vulnerability disclosure and widespread exploitation significantly elevates operational risk for all organizations, highlighting the urgency in addressing CMS vulnerabilities.

Why do these vulnerabilities persist?

This persistent challenge—where patches exist for many CVEs, yet businesses continue to be compromised—constitutes the central problem. Several key factors contribute to this:

One primary factor is patching fatigue and resource constraints. Small and medium-sized businesses (SMBs), heavily affected by this campaign, often lack dedicated security teams. Website management frequently falls to marketing personnel, IT generalists, or external agencies that may not prioritize security updates. The task of maintaining every plugin update across multiple sites can easily become a full-time responsibility, exacerbating the problem of unaddressed CMS vulnerabilities.

Another significant challenge is the resistance to updates due to perceived risk. Many businesses hesitate to update their CMS or plugins, fearing that new versions might break existing functionality. The legitimate concern of a critical business website outage caused by an update can sometimes lead to the perceived risk of an update outweighing the perceived risk of an unpatched vulnerability.

Finally, a pervasive lack of visibility contributes to the problem. Many organizations simply do not possess a clear inventory of the software and plugin versions they are running, nor do they know if vulnerable instances are exposed to the internet. Effective patching fundamentally requires this foundational understanding of assets to mitigate CMS vulnerabilities.

What we need to do about it

In response, the ACSC has issued several immediate, practical recommendations: Organizations must immediately inspect their CMS environments for webshells and any abnormal file changes, meticulously reviewing web access logs for suspicious GET or POST requests to unusual paths. A historical review of logs is crucial to pinpoint the initial compromise. They should also review network logs for interactions with identified IP addresses and investigate for persistence and lateral movement. Following detection, vulnerable systems must be patched immediately to prevent reinfection, and if compromise is suspected, restoring from a known-good backup is paramount.

Looking beyond immediate remediation, long-term protective strategies are equally vital: It is crucial to keep all website software and plugins up to date, potentially considering automatic patching for non-critical components where appropriate. Plugins with actively exploited CMS vulnerabilities should be disabled until mitigations can be applied. To hinder webshell deployment, organizations should restrict or monitor file creation in web directories and limit access to sensitive files and paths. Furthermore, monitoring for unexpected child processes spawned by web servers is essential for early detection of compromise. Finally, blocking unnecessary network communication between internet-facing websites and internal systems is a critical step to contain lateral movement and prevent broader network compromise.

It is clear that we must move beyond simply advising organizations to patch. For SMBs, operational realities demand simpler, more automated solutions, such as managed security services that integrate automated vulnerability scanning and less disruptive patching mechanisms. Hosting providers, for instance, could offer enhanced default security configurations like Web Application Firewalls (WAFs) and automated patching for non-critical components. We also need improved education for non-technical website owners regarding the tangible risks of not patching. The threat has moved beyond theoretical concerns; it is now a tangible, AI-accelerated campaign actively exploiting unaddressed CMS vulnerabilities. Many organizations are now facing confidentiality breaches because they mistakenly treat a critical security update as a mere software update failure, failing to grasp the significant distinction.

Vigilant cybersecurity analysts are crucial for detecting and responding to webshell activity and other post-exploitation tactics.
Vigilant cybersecurity analysts are crucial for detecting
Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.