Back to Intelligence

ACSC Alert: Global Campaign Exploiting Vulnerable CMS Platforms – Detection and Hardening

SA
Security Arsenal Team
July 11, 2026
5 min read

The Australian Cyber Security Centre (ACSC) has issued a high-priority alert regarding a global, automated campaign aggressively targeting vulnerable Content Management Systems (CMS) and associated plugins. This is not a theoretical risk; active scanning and exploitation attempts are being observed against unpatched internet-facing web servers.

For defenders, this means the window between patch release and weaponization has effectively closed for many common plugins. The primary objective of these campaigns is the deployment of webshells, providing attackers with persistent backdoors for data exfiltration, SEO poisoning, or lateral movement into the internal network. If you manage WordPress, Joomla, Drupal, or similar platforms, immediate action is required to identify compromise and harden your web perimeter.

Technical Analysis

Affected Products & Platforms: The campaign targets widely used CMS platforms, specifically:

  • WordPress (Core and third-party plugins)
  • Joomla!
  • Drupal
  • Other PHP-based CMS installations exposed to the public internet.

Vulnerability & Attack Chain: While the campaign attempts to exploit various vulnerabilities, the common denominator is the exploitation of unpatched plugins or misconfigurations. The attack chain typically follows this pattern:

  1. Reconnaissance: Automated scanners probe web servers for specific CMS fingerprints and plugin versions.
  2. Exploitation: The attacker leverages known Remote Code Execution (RCE) or File Upload vulnerabilities in vulnerable plugins to bypass authentication or upload malicious files.
  3. Webshell Deployment: Upon successful exploitation, a PHP-based webshell is written to the web directory (often disguised as a legitimate image or system file).
  4. Persistence & C2: The attacker interacts with the webshell via HTTP/HTTPS POST requests to execute system commands, maintaining persistence even if the initial vulnerability is patched.

Exploitation Status:

  • Confirmed Active Exploitation: The ACSC has confirmed this activity is occurring in the wild globally.
  • Severity: High. Successful compromise leads to full server control.

Detection & Response

SIGMA Rules

YAML
---
title: Web Server Process Spawning System Shell
id: 85c345b1-2b3a-4c1e-9e5f-6d7f8a9b0c1d
status: experimental
description: Detects web server processes spawning cmd, powershell, or bash shells, indicating potential webshell activity.
references:
  - https://www.acsc.gov.au/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\apache\'
      - '\nginx\'
      - '\php-cgi.exe'
      - '\php.exe'
      - '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts (rare)
level: high
---
title: Linux Web Server Spawning Shell via HTTPD
id: 9d4e1f2a-3b5c-4d6e-8f9a-1b2c3d4e5f6g
status: experimental
description: Detects web server processes (httpd, nginx) spawning bash/sh on Linux endpoints.
references:
  - https://www.acsc.gov.au/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|contains:
      - '/apache2'
      - '/httpd'
      - '/nginx'
      - '/php-fpm'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
  condition: selection
falsepositives:
  - Legitimate administrative scripts
level: high

Microsoft Sentinel KQL (Kusto Query Language)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process creation by web services
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("httpd.exe", "nginx.exe", "php-cgi.exe", "php.exe", "w3wp.exe", "httpd", "nginx", "php-fpm")
| where ProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh", "zsh")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently modified PHP files in webroots (Webshell IOC hunt)
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/var/www/html/**/*.php")
WHERE Mtime > now() - 7d
  AND Size < 5000
-- Option: Chain with a grep for common webshell strings if performance allows
-- | WHERE grep(File=FullPath, pattern="(eval\(|base64_decode|system\(\$_GET|assert\()")

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# CMS Hardening and Basic Webshell Hunt for Linux
# Run as root or with sudo privileges

WEB_ROOT="/var/www/html"
LOG_FILE="/var/log/cms_hardening_$(date +%Y%m%d).log"

echo "[+] Starting CMS Hardening and Hunt - $(date)" | tee -a "$LOG_FILE"

# 1. Check for common webshell signatures in PHP files
echo "[*] Scanning for common webshell signatures in $WEB_ROOT..." | tee -a "$LOG_FILE"
grep -RlE "(eval\(\$_|base64_decode\(\$_|system\(\$_REQUEST|assert\(\$_POST|passthru\(\$_GET)" "$WEB_ROOT" 2>/dev/null | tee -a "$LOG_FILE"

# 2. Find PHP files modified in the last 24 hours
echo "[*] Listing PHP files modified in the last 24 hours..." | tee -a "$LOG_FILE"
find "$WEB_ROOT" -type f -name "*.php" -mtime -1 -ls | tee -a "$LOG_FILE"

# 3. Ensure permissions are locked down (No execute on uploads, strict ownership)
echo "[*] Auditing file permissions..." | tee -a "$LOG_FILE"
# Find directories with 777 permissions
find "$WEB_ROOT" -type d -perm 777 | tee -a "$LOG_FILE"
# Find PHP files owned by www-data (should rarely be written by the web user)
find "$WEB_ROOT" -type f -name "*.php" -user www-data -ls | tee -a "$LOG_FILE"

echo "[+] Hardening check complete. Review $LOG_FILE."

Remediation

To neutralize this threat and prevent recurrence, implement the following steps immediately:

  1. Patch and Update: Inventory all CMS instances and update Core installations and all plugins to the latest versions immediately. Pay special attention to plugins identified as vulnerable in the ACSC alert.

  2. Remove Unused Components: Delete any plugins or themes that are not actively used. Vulnerabilities in dormant code remain a viable attack vector.

  3. Web Application Firewall (WAF): Ensure your WAF is enabled and tuned to block common CMS exploit attempts and directory traversal attacks.

  4. File Integrity Monitoring (FIM): Enable FIM on web directories to alert on any new or modified PHP, ASP, or JSP files.

  5. Restrict File Uploads: Configure the web server to prevent execution of scripts from upload directories (e.g., /uploads, /images). Use .htaccess or nginx.conf rules to deny PHP execution in these paths.

Official Advisory: Refer to the ACSC Advisory for specific IOCs and plugin names associated with this campaign.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringacsccms-securitywebshellincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.