Your CMS Shouldn't Become Your Biggest Security Risk

The Australian Cyber Security Centre (ACSC) has issued a formal advisory: a large-scale exploitation campaign is actively targeting website content management systems (CMS) globally, and Australian businesses, including small and medium-sized organisations, are already confirmed as victims.

This is not a forecast or a theoretical risk assessment. The campaign is active. Attackers are scanning websites right now, hunting for known vulnerabilities in CMS software and plugins. When they find one, they deploy a webshell persistent, hidden code that gives them ongoing remote access and control of the web server.

 If your organisation runs a public-facing website, this advisory is relevant to you.

What the ACSC advisory says

According to the advisory, malicious actors are conducting systematic, automated scans of websites worldwide, targeting known vulnerabilities in CMS platforms and their associated plugins. The attack methods documented include:

  • Unauthenticated file upload vulnerabilities
  • Remote code execution exploits
  • Server-side request forgery (SSRF)
  • Deserialisation vulnerabilities

Once a vulnerability is identified and exploited, attackers deploy webshells malicious scripts embedded directly in the web server. From there, the consequences can extend well beyond the website: data exfiltration, lateral movement into internal systems, ransomware staging, or access sold on criminal marketplaces.

The ACSC advisory is publicly available and worth reading in full: Large-scale exploitation campaign targeting CMS.

This affects every CMS platform

The advisory is not platform-specific. Whether you're running WordPress, Umbraco, Sitefinity, Drupal, Kentico, or any other CMS, the fundamental message is the same: unsupported, unpatched software increases your security risk.

Attackers aren't targeting particular brands. They're scanning for known, unpatched vulnerabilities the kind that accumulate when software isn't updated, when plugins are left on old versions, or when a CMS platform has reached the end of its vendor support lifecycle.

The platform matters less than the maintenance discipline, and whether your CMS vendor is still shipping security fixes.

The compounding problem with end-of-life software

Most CMS platforms have a support lifecycle: a period during which the vendor actively ships security patches, fixes known vulnerabilities, and responds to newly discovered CVEs. When a platform reaches end of life (EOL), that support stops.

Running EOL CMS software creates a specific and growing risk:

  • Vulnerabilities discovered after the EOL date have no vendor fix available
  • Your internal IT team cannot patch what the vendor no longer patches
  • The attack surface doesn't stay static, it expands as new vulnerabilities are found and publicised
  • Attackers actively target EOL software precisely because the unpatched vulnerability inventory is known and growing

This is the risk class the ACSC advisory describes. And it's why EOL platform users should treat this advisory as a prompt not just to audit their current patching status, but to understand whether they're building on a foundation that will continue to receive security support.

What's next?

The ACSC's core recommendation is to keep CMS software and plugins patched and up to date. That's the right starting point. Beyond that, the advisory also recommends:

  • Configuring web directories as read-only to prevent webshell deployment
  • Inspecting your CMS for signs of webshell installation
  • Reviewing web access logs for suspicious activity and indicators of compromise

We've put together a short practical checklist below that covers the essentials. It takes about ten minutes to work through and gives you a clear picture of where your exposure sits.

The longer-term question

The ACSC advisory is a moment to audit, but it's also a useful prompt for a longer-term question: is your current CMS platform one you can rely on for security support over the next three to five years?

The shift happening in the market is meaningful here. Platforms that have moved to an evergreen model continuous, automatic security updates rather than periodic major versions structurally reduce the risk class this advisory describes. There are no gaps between versions. There's no EOL date creating a cliff edge. Security is ongoing, not episodic.

That's not a reason to change platform based on one advisory. But it is worth factoring into any platform review you're conducting this year. 

Free CMS Security Checklist

We've put together a practical seven-point checklist for any organisation that wants to quickly assess their CMS security posture. It covers the basics the ACSC advisory recommends, plus a few additional questions worth asking of your web team or digital agency.

Download the CMS Security Checklist

If you have questions about your organisation's specific situation, or want to understand what a platform review looks like in practice, our team is happy to have that conversation. No deck. No obligation.

Get in touch with Dapth

Authors
Phil Allen
Founder & Chief Strategist
Dapth Marketing
Brand & Growth Team
Get in touch

We transform

Discover More insights.

One thing we won't apologise for? Our passion for the digital world.