ACSC Warns: CMS Campaign Installs Web Shells via 17 CVEs
Attackers are compromising websites at scale and installing hidden tools on servers to maintain remote control. The campaign has hit numerous small and medium-sized organizations in Australia. However, the attacks extend well beyond any single country. Australia’s Cyber Security Centre has issued a public advisory on the CMS exploitation campaign. It warns that attackers are automatically scanning websites for vulnerable CMS platforms and plugins.
How Attackers Enter and What They Do Next
The vulnerabilities they exploit fall into several categories. These include unauthorized file uploads, server-side command execution, server-side request forgery, and the processing of specially crafted data inputs.
Once a site is compromised, attackers install web shells. These shells provide persistent remote access to the server. Through them, criminals can modify or disable sites. They can also intercept visitor passwords and steal stored data. Additionally, they can deploy malware or use the server as an entry point into the organization’s internal network.
17 CVEs Exploited in This Campaign
The campaign exploits vulnerabilities across a wide range of software. The following CVEs have been confirmed or are considered probable.
- Simple File List for WordPress — CVE-2020-36847 (9.8 Critical)
- WavePlayer for WordPress — CVE-2025-12057 (9.8 Critical)
- BerqWP for WordPress — CVE-2025-7443 (8.1 High)
- WPBookit for WordPress — CVE-2025-7852 (9.8 Critical)
- Ninja Forms File Uploads for WordPress — CVE-2026-0740 (9.8 Critical)
- ThemeREX Addons for WordPress — CVE-2026-1969 (9.8 Critical)
- Breeze Cache for WordPress — CVE-2026-3844 (9.8 Critical)
- pay-uz for WordPress — CVE-2026-31843 (10.0 Critical)
- Advanced Custom Fields: Extended for WordPress — CVE-2025-13486 (9.8 Critical)
- Sneeit Framework for WordPress — CVE-2025-6389 (9.8 Critical)
- WPvivid Backup and Migration for WordPress — CVE-2026-1357 (9.8 Critical)
- Gravity Forms for WordPress — CVE-2025-12352 (9.8 Critical)
- GutenKit and Hunk Companion for WordPress — CVE-2024-9234 (9.8 Critical) — probable link
- Craft CMS — CVE-2025-32432 (9.8 Critical)
- MaxSite CMS — CVE-2026-3395 (7.3 High)
- MetInfo CMS — CVE-2026-29014 (9.8 Critical)
- Joomla Content Editor — CVE-2026-48907 (10.0 Critical)
Incident Response: What to Check When You Find a Web Shell
Administrators should inspect site and plugin directories for unknown or recently modified files. Additionally, access logs should be reviewed for suspicious GET and POST requests. Any server where a web shell is found should be treated as fully compromised. That server should be isolated from the network immediately. Investigators should then look for new user accounts, malware, data exfiltration attempts, and lateral movement between systems.
Administrators should also review earlier log entries to find the initial point of compromise. Network logs and firewall records can reveal external connections made by the infected server.
Remediation Steps
Vulnerable components should be updated immediately. Plugins without patches should be disabled temporarily. After removing or isolating malicious files, the server should not return to the network until a full investigation is complete. If a site was compromised, restoring from a recent, known-clean backup is strongly recommended.
Hardening Recommendations
For additional protection, organizations should restrict write access to directories that should not change. They should also monitor child processes spawned by the web server. Separating public-facing websites from the internal corporate network adds another layer of defense. Enabling automatic security patches reduces the window during which a site remains vulnerable.
If preventing all file creation is not feasible, administrators should monitor for any file changes outside of approved maintenance windows. This approach helps detect web shells sooner and limits the time they operate on a compromised server.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.