ASD Australian Cyber Security Centre alert

Incident Report for GovCMS

Resolved

We are aware of the recent ASD Australian Cyber Security Centre alert regarding a large-scale exploitation campaign targeting vulnerabilities in several content management systems and associated plugins.

The CVEs listed in the alert relate to WordPress plugins, Craft CMS, MaxSite CMS, MetInfo CMS and Joomla JCE. These technologies are not used as the content management system for GovCMS. GovCMS uses Drupal, and based on the information provided in the alert, the identified CVEs do not impact the Drupal CMS used with GovCMS.

While the specific vulnerabilities referenced in the communication do not apply to GovCMS Drupal, we recognise the broader cyber security risk highlighted by ASD’s ACSC. GovCMS continues to actively monitor the threat landscape and apply established security controls to protect customer websites.

Our robust Web Protection Service is actively managed to help mitigate new and emerging malicious cyber activity, including scanning, exploitation attempts and other threats targeting internet-facing websites. These protections are supported by ongoing monitoring, security review and operational response processes.

GovCMS also maintains well-established and mature security processes and procedures, which are actively managed and routinely reviewed. These processes support rapid assessment of security advisories, timely remediation where required, continuous improvement of platform controls, and alignment with ASD ACSC guidance for protecting websites.

In line with the immediate mitigation advice and additional protective steps outlined by ASD’s ACSC, GovCMS continues to apply security practices that include vulnerability management, monitoring for suspicious activity, restricting unnecessary access, reviewing platform controls, and maintaining operational processes to respond to emerging threats.

Customers do not need to take any specific action in relation to the CVEs listed in the ASD ACSC alert for the GovCMS Drupal platform. We will continue to monitor this activity and advise customers if any further information or action is required.

If you have any questions or concerns, please contact the GovCMS team through your usual support channel.
Posted Jul 10, 2026 - 09:32 AEST
This incident affected: GovCMS Projects (Individual websites).