10 Jul 2026
Week in review
Greetings,
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a critical alert following a large-scale cyber campaign targeting vulnerabilities in website content management systems (CMS) across the globe, including Australia. Small and medium-sized businesses have been particularly affected, with attackers actively scanning websites for weaknesses in popular CMS platforms and plugins.
According to the ACSC, malicious actors are exploiting known vulnerabilities that enable unauthenticated file uploads, remote code execution and other forms of server compromise. Their primary objective is to deploy webshells, which are malicious scripts that provide remote access and control over web servers. Once installed, webshells can be used to deface websites, steal credentials and sensitive data, distribute additional malware, or provide a foothold for broader network compromise.
The campaign is exploiting vulnerabilities in a range of widely used CMS products and plugins, particularly within the WordPress ecosystem, as well as other platforms including Craft CMS, MaxSite CMS, MetInfo CMS and Joomla components. The ACSC noted that this activity highlights the growing cyber threat landscape, with advances in artificial intelligence contributing to faster identification and exploitation of newly disclosed vulnerabilities.
Website owners and administrators are being urged to inspect systems for signs of compromise, review logs for suspicious activity, isolate affected servers and restore websites from known-good backups where necessary. The ACSC also recommends prioritising patching, monitoring for unauthorised file creation and restricting file access to reduce the risk of webshell deployment. Organisations should ensure all website software and plugins remain up to date and consider additional controls to detect unusual processes and limit potential movement within corporate networks.
Max severity Adobe ColdFusion flaw now exploited in attacks
Date: 2026-07-06
Author: Bleeping Computer
[Please see AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.7232/]
[AUSCERT has contacted affected members where applicable]
Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel.
ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
Date: 2026-07-03
Author: Security Week
Two critical vulnerabilities in the popular AI code editor Cursor could lead to remote code execution on the underlying operating system, Cato Networks reports.
The security defects are tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS score of 9.8) and are referred to as DuneSlide, given that they lead to remote code execution (RCE) outside of the IDE’s sandbox.
According to Cato, the flaws abuse Cursor’s automatic terminal command execution inside the sandbox, which does not prompt the user for approval, and can be triggered when a victim prompts the IDE to ingest an attacker-controlled payload.
BeyondTrust warns of critical flaws in remote access software
Date: 2026-07-07
Author: Bleeping Computer
BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication.
The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges.
Critical Gitea Flaw Under Active Exploitation, Researchers Warn
Date: 2026-07-07
Author: Security Week
Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username.
Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says.
The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains.
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities
Date: 2026-07-07
Author: The Hacker News
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign.
The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials, followed by either the deployment of a web shell for persistent access or a known post-exploitation tool called VShell.
ASB-2026.0125 – ALERT CMS and Plugins: CVSS (Max): 10.0*
ACSC has published a critical alert warning of a large-scale campaign actively exploiting vulnerabilities in multiple CMS platforms to compromise websites, urging organisations to patch affected systems and check for signs of compromise.
ESB-2026.7592 – IBM MQ container software: CVSS (Max): 10.0
IBM has released updates to fix multiple vulnerabilities affecting IBM MQ Operator and Queue manager container images. The update addresses security issues including Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, and Improper Validation of Integrity Check Value in components such as OpenSSL, WebSphere Application Server Liberty, and Java SE.
ESB-2026.7596 – ALERT Palo Alto Prisma Browser: CVSS (Max): 9.6*
Palo Alto Networks has incorporated Chromium security fixes into its products. These fixes are included in Google’s Chrome 150 release, which addresses 433 security fixes, including 20 Critical vulnerabilities affecting components such as Browser, V8, ANGLE, Skia, Blink, and FileSystem.
ESB-2026.7647 – ALERT Juniper Networks CTPView: CVSS (Max): 10.0
Juniper Networks has released CTPView 9.3R2-3, addressing multiple vulnerabilities. Juniper SIRT is not aware of any malicious exploitation, and no workarounds are available.
ESB-2026.7681 – OpenPLC v3: CVSS (Max): 9.9
Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem. Through the standard OpenPLC program compilation process, this may be escalated to arbitrary native code execution, potentially resulting in code execution as the OpenPLC runtime user.
Stay safe, stay patched and have a good weekend!
The AUSCERT team