Second alert from ACSC in two months shows unpatched CMS bugs still exploited

By
Follow google news

WordPress plugins targeted.

The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) has issued a second alert on content management systems in two months, warning that attackers are running a large-scale campaign exploiting already-patched vulnerabilities.

Second alert from ACSC in two months shows unpatched CMS bugs still exploited

The campaign involves 17 specific vulnerabilities affecting websites worldwide, including many operated by small- to medium-sized businesses in Australia.

Several WordPress plugins - Craft CMS, MaxSite CMS, MetInfo CMS and Joomla's JCE editor - are covered by the alert, with some of the underlying vulnerabilities dating back to 2024.

The latest alert follows an ACSC advisory issued in May about a ClickFix campaign in which compromised WordPress websites belonging to legitimate Australian businesses delivered the Vidar Stealer malware to visitors.

All 17 vulnerabilities listed by the ACSC have patches available, with some fixes having been released many months ago.

Among them is CVE-2025-32432 affecting Craft CMS, which was exploited as a zero-day for around two months before a patch was released in April 2025.

Other vulnerabilities mentioned in the alert affect the GutenKit and Hunk Companion WordPress plugins, both of which were patched in 2024 but continued to attract heavy exploitation attempts after fixes became available, security vendor Wordfence said.

ACSC advises administrators to look for indicators of compromise, including webshells that enable remote connections and other malicious scripts, to remove any attacker persistence, and then apply available security updates.

The agency also recommends disabling vulnerable components where patches cannot be applied immediately.

For organisations relying on managed hosting, the cybersecurity agency suggests they ask providers how monitoring for compromise and responding to active exploitation campaigns is done.

Add iTnews as your trusted source

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

Bendigo Bank aims to have Australia's "first agentic SOC"

Bendigo Bank aims to have Australia's "first agentic SOC"

Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases

ASD to retire Essential Eight cyber security framework within next two years

ASD to retire Essential Eight cyber security framework within next two years

Log In

  |  Forgot your password?