Australia’s ASD Warns of Active Campaign Exploiting 17 CMS CVEs

Australia's Signals Directorate warned of an active global campaign scanning for 17 known CVEs across WordPress, Joomla, and other public-facing CMS platforms.
Table of Contents
    Add a header to begin generating the table of contents

    Australia’s Signals Directorate and the Australian Cyber Security Centre issued an advisory warning that an ongoing, opportunistic campaign is actively scanning for and exploiting 17 known CVEs across WordPress, Joomla, and other content management systems, with post-exploitation activity including webshell deployment, credential theft, and lateral movement into internal networks. The campaign targets organizations of all sizes and sectors globally, making it a broad-based threat rather than a targeted one.

    The Active Global Campaign: 17 CVEs Exploited Across WordPress, Joomla, and Other CMS Platforms

    The ASD advisory describes the campaign as international and ongoing — attackers are not waiting for specific targets but systematically scanning public internet space for CMS installations running unpatched versions of the 17 identified vulnerabilities. This opportunistic profile means any organization with a public-facing WordPress or Joomla site running software or plugins with unpatched CVEs from the advisory list is a potential victim regardless of its industry, size, or visibility.

    17 Known CVEs Exploited Against Unpatched CMS Installations and Their Plugins

    The 17 CVEs targeted in the campaign span WordPress, Joomla, and other CMS platforms alongside their associated plugins. The advisory does not enumerate each CVE individually, but the combination of CMS core software and third-party plugin vulnerabilities reflects the typical attack surface of a public-facing CMS installation: the core platform may be current while numerous plugins remain unpatched, each representing a separate entry point. Attackers scanning for this class of vulnerabilities use automated tools that probe for version indicators and known vulnerable endpoints, allowing rapid identification of exploitable targets across millions of installations without manual reconnaissance.

    How the ASD Campaign Turns WordPress and Joomla Footholds into Internal Network Access

    The advisory documents three distinct post-exploitation actions observed after attackers successfully exploit a vulnerable CMS. First, they deploy webshells — persistent remote access scripts embedded in the compromised site’s file system that give the attacker a command interface to the web server without requiring repeated exploitation. Second, they conduct credential theft, extracting authentication credentials stored or processed by the CMS or its database. Third, they move laterally from the compromised web server into the organization’s internal networks, using the CMS host as a pivot point. The combination of these three actions transforms a website compromise into a potential enterprise network intrusion, with the public-facing CMS serving as the initial foothold.

    Why the Campaign’s Opportunistic Profile Puts All Public-Facing CMS Sites at Risk

    Most targeted threat advisories warn about attacks directed at specific industries, geographies, or organization types. The ASD advisory describes the opposite: a campaign that does not select targets based on who they are or what data they hold but instead exploits every vulnerable instance it can find. This opportunistic model means an organization’s absence from traditional high-value target categories provides no protection. A small municipality, a non-profit, a regional healthcare provider, and a financial services firm face equal exposure if their WordPress or Joomla installations carry any of the 17 CVEs the campaign exploits.

    Why Webshells Make This Campaign’s Persistent Access Especially Difficult to Clear

    Webshells are among the most durable post-exploitation artifacts because they are often indistinguishable from legitimate PHP or script files in a site’s directory structure, they survive CMS updates unless the compromised file is specifically overwritten, and they remain active even after the initial vulnerability that enabled deployment is patched. Organizations that patch their CMS after reading the ASD advisory but do not audit for webshell presence may still be compromised — they have closed the entry point but left the attacker’s persistent access mechanism intact. The ASD advisory specifically calls for auditing for webshell presence as a required step alongside patching.

    ASD’s Recommended Mitigations Against the CMS Exploitation Campaign

    The ASD advisory specifies three categories of immediate mitigation. Organizations should apply all available patches for CMS core software and plugins immediately, without waiting for scheduled maintenance windows. They should audit their web server file systems for webshell presence, looking for recently modified or created PHP or script files in directories where user-uploaded or administrator-placed files are not expected. Finally, the advisory calls for enforcing strong authentication on CMS administrative interfaces, including multi-factor authentication where supported, to reduce the impact of credential theft achieved through CMS compromise.

    The combination of the ASD advisory with same-day CISA KEV additions targeting Joomla installations makes this a compounded alert day for any organization running public-facing CMS installations. Treating these advisories as separate incidents rather than as concurrent signals of elevated CMS-targeting activity would understate the current threat level for unpatched web infrastructure.

    Related Posts