WP-SHELLSTORM Exposed: Hackers Backdoored Thousands of WordPress Websites Cybersecurity
Key Facts
- Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA's actively-exploited list, even though it barely landed in this campaign.
- - WordPress and Joomla, first: patch Breeze (CVE-2026-3844, fixed in 2.4.5) if the non-default "Host Files Locally – Gravatars" setting is on; it produced the most backdoors here.
- According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations.
- Key trends: June 2026 - In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.
- Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India.
- Score ✓ (available to Recorded Future Customers) ✓ (available to Recorded Future Customers) ✓ (available to Recorded Future Customers) Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).
- CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.
- Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA.
- Both reports list Simple File List under CVE-2025-34085, a now-rejected duplicate; the valid ID is CVE-2020-36847.
- - 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA’s actively-exploited list, even though it barely landed in this campaign. The issue is tracked as CVE-2026-35616, CVE-2026-25939, CVE-2025-55182. - WordPress and Joomla, first: patch Breeze (CVE-2026-3844, fixed in 2.4.5) if the non-default “Host Files Locally, Gravatars” setting is on; it produced the most backdoors here.
TL;DR
- According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations.
- Key trends: June 2026 - In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.
- Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India.
Independent reporting: This account is corroborated by 2 independent sources, including primary advisories where available.
Context of the Unknown Incident
Score ✓ (available to Recorded Future Customers) ✓ (available to Recorded Future Customers) ✓ (available to Recorded Future Customers) Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).
Further details indicate that cVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.
Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA.
Both reports list Simple File List under CVE-2025-34085, a now-rejected duplicate; the valid ID is CVE-2020-36847.
“Host Files Locally, Gravatars”, Spokesperson
Technical Details
CVEs:
From a technical standpoint, the vulnerability presents several concerns:
- 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
Impact
The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors. - 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
Timeline
| Date | Event | |, , |, , -| | 2026 | June 2026 CVE Landscape In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioriti… | | 2026 | Quick reference: June 2026 Vulnerability Table All 57 vulnerabilities below were actively exploited in June 2026. | | 2026 | Score ✓ (available to Recorded Future Customers) ✓ (available to Recorded Future Customers) ✓ (available to Recorded … | | 2026 | Key trends: June 2026 - In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deli… | | 2025 | React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Gro… | | 2026 | Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-2… |
What To Do Now
-
React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations.
-
Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.
-
Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.
-
Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.
-
Wordfence tracked tens of thousands of blocked attacks against the Everest Forms Pro flaw (CVE-2026-3300) this spring, and the Joomla JCE bug (CVE-2026-48907) is a maximum-severity flaw CISA has added to its Known Exploited Vulnerabilities list.
-
- WordPress and Joomla, first: patch Breeze (CVE-2026-3844, fixed in 2.4.5) if the non-default “Host Files Locally, Gravatars” setting is on; it produced the most backdoors here.
Analysis
This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2026-35616
- https://nvd.nist.gov/vuln/detail/CVE-2026-25939
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://nvd.nist.gov/vuln/detail/CVE-2021-26855
- https://nvd.nist.gov/vuln/detail/CVE-2022-41082
- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
- https://nvd.nist.gov/vuln/detail/CVE-2022-40684
- https://nvd.nist.gov/vuln/detail/CVE-2024-21762
- https://nvd.nist.gov/vuln/detail/CVE-2023-20198
- https://nvd.nist.gov/vuln/detail/CVE-2016-4437
- https://nvd.nist.gov/vuln/detail/CVE-2021-27076
- https://nvd.nist.gov/vuln/detail/CVE-2022-27925
Sources & References
- CVE-2026-35616 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-35616
- CVE-2026-25939 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-25939
- CVE-2025-55182 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- CVE-2021-26855 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2021-26855
- CVE-2022-41082 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2022-41082
- CVE-2021-36260 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2021-36260
- CVE-2022-40684 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2022-40684
- CVE-2024-21762 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2024-21762
- CVE-2023-20198 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2023-20198
- CVE-2016-4437 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2016-4437
- CVE-2021-27076 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2021-27076
- CVE-2022-27925 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2022-27925
- CVE-2023-32315 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2023-32315
- CVE-2023-46747 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2023-46747
- CVE-2024-36401 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2024-36401
- CVE-2026-21509 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-21509
- CVE-2026-21513 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-21513
- CVE-2021-27137 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2021-27137
- CVE-2026-3844 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-3844
- CVE-2021-29441 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2021-29441
- CVE-2026-48907 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-48907
- CVE-2026-35616 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35616
- CVE-2026-25939 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25939
- CVE-2025-55182 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55182
- CVE-2021-26855 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- CVE-2022-41082 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
- CVE-2021-36260 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36260
- CVE-2022-40684 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-40684
- CVE-2024-21762 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21762
- CVE-2023-20198 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-20198
- CVE-2016-4437 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2016-4437
- CVE-2021-27076 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27076
- CVE-2022-27925 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-27925
- CVE-2023-32315 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32315
- CVE-2023-46747 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-46747
- CVE-2024-36401 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-36401
- CVE-2026-21509 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
- CVE-2026-21513 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
- CVE-2021-27137 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27137
- CVE-2026-3844 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3844
- CVE-2021-29441 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-29441
- CVE-2026-48907 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48907
- CVE-2026-35616 — National Vulnerability Database
- CVE-2026-25939 — National Vulnerability Database
- CVE-2025-55182 — National Vulnerability Database
- CVE-2021-26855 — National Vulnerability Database
- CVE-2022-41082 — National Vulnerability Database
- CVE-2021-36260 — National Vulnerability Database
- CVE-2022-40684 — National Vulnerability Database
- CVE-2024-21762 — National Vulnerability Database
- CVE-2023-20198 — National Vulnerability Database
- CVE-2016-4437 — National Vulnerability Database
- CVE-2021-27076 — National Vulnerability Database
- CVE-2022-27925 — National Vulnerability Database
- CVE-2023-32315 — National Vulnerability Database
- CVE-2023-46747 — National Vulnerability Database
- CVE-2024-36401 — National Vulnerability Database
- CVE-2026-21509 — National Vulnerability Database
- CVE-2026-21513 — National Vulnerability Database
- CVE-2021-27137 — National Vulnerability Database
- CVE-2026-3844 — National Vulnerability Database
- CVE-2021-29441 — National Vulnerability Database
- CVE-2026-48907 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Rapid7: PAN-OS GlobalProtect Bypass Exploited
Attackers are actively exploiting a high-severity authentication bypass vulnerability in Palo Alto Networks GlobalProtect portals and gateways, allowing remote attackers to establish unauthorized VPN access to corporate networks.
TechnologyProgress Urges ShareFile Admins to Shut Down Servers Over Credible Security Threat Cybersecurity
In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score...
Technology7-Eleven Data Breach: 185,000 People Exposed
The ShinyHunters extortion gang claimed responsibility, leaked a 9.4GB archive of stolen data, and is now selling it on underground forums after the company refused to pay a ransom.
TechnologyOusaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures Malware
This malware employs sophisticated techniques to evade detection and steal banking credentials, The Hacker News reports.The Ousaban campaign begins with a phishing PDF disguised as a corrupted file, p...