All incidents

CMS Exploitation Campaign Deploys Webshells on Australian SMB Websites

malwareopenJul 13, 2026 — Jul 13, 2026
ACSC warns of CMS flaws driving webshell attacks on Aussie SMBs

THE Australian Signals Directorate’s Australian Cyber Security Centre has warned of a large‑scale campaign that is exploiting weaknesses in popular content management systems to drop webshells on the sites of small and medium businesses. The activity has been seen across WordPress and Joomla installations and poses a risk of defacement, data theft and malware distribution. The alert urges immediate action to limit exposure, as detailed in the advisory.

Technical details show that attackers are scanning for known flaws in plugins such as Simple File List and Gravity Forms, as detailed in a recent report, taking advantage of unauthenticated file upload functions and remote code execution weaknesses. Once a vulnerable endpoint is found they upload a malicious script that acts as a webshell, giving the adversary persistent command‑line access to the web server. The advisory notes that no specific CVE identifiers have been published for the flaws being abused in this wave.

The webshells enable a range of follow‑on actions including the installation of additional malware, the harvesting of administrator credentials and the use of the compromised site as a pivot for attacks on visitors. Because the exploited plugins are widely deployed across Australian SMB websites the potential impact is broad. The advisory highlights that the vulnerabilities are being exploited without authentication, making any exposed site a target.

Although no threat actor group has been publicly attributed to the activity the ACSC says the campaign is ongoing and has been detected since mid‑July 2026. The speed of the operation appears to have been accelerated by the use of artificial intelligence tools that automate scanning and exploit delivery, as noted in another analysis. This trend mirrors other recent warnings about AI‑enhanced cyber operations targeting legacy web software.

The breadth of the issue is highlighted by the fact that many affected businesses lack dedicated security teams and rely on managed hosting providers that may not apply patches promptly. As a result the malicious webshells can remain undetected for extended periods, increasing the chance of data loss or reputational damage. The advisory stresses that timely mitigation is essential to prevent further compromise.

Defenders should start by ensuring that all core CMS files, themes and plugins are updated to the latest versions released by their vendors. Where automatic updates are not available administrators must manually check the plugin directories for known vulnerable versions and remove or replace them immediately. In addition, file upload directories should be hardened by disabling script execution and enforcing strict whitelists on allowed file types.

Monitoring access logs for unexpected POST requests to plugin endpoints and inspecting web‑shell artifacts such as unfamiliar PHP or ASPX files can help detect compromise early. Organisations are also advised to consider deploying a web application firewall that can block known exploit patterns and to restrict administrative interfaces to trusted IP addresses. Finally, any confirmed webshell should be removed, the affected server rebuilt from clean backups and all passwords rotated.

Intelligence briefing updated Jul 13, 2026

Root sourcewww.cyber.gov.au
Timeline Coverage

Swipe to explore timeline