A Single Partner for Everything You Need With more than 450 technology partners in its ecosystem, Optiv provides clients with best-in-class security technology and solutions that equip organizations to detect and manage cyber threats effectively and efficiently in today's growing attack surface. Optiv's Partner of the Year Awards recognize forward-thinking innovation, performance and growth, and unparalleled technology solutions.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Optiv’s gTIC Prioritized Software and Services List + MITRE ATT&CK Tactics Part VII: Content Management System Platforms Breadcrumb Home Insights Blog Prioritized Software and Services List + MITRE Tactics Part VII December 16, 2025 This article continues the Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List series. The list provides a high-level introduction to frequently exploited software, services, and protocols and the associated MITRE ATT&CK® Tactic mappings. The intent of researching, identifying, and prioritizing potentially high-risk products (based on attractiveness for, and frequency of, targeting by adversaries) is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. Follow-up reports will further detail the adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original blog post. This seventh blog post in the series covers exploitation trends and vulnerabilities in popular content management system (CMS) platforms to support the gTIC’s inclusion of CMS providers on our Prioritized Software and Services List. CMS Platforms and ATT&CK Technique MappingOptiv’s gTIC has identified and categorized CMS-hosted sites, platforms, and providers as key assets for business operations and targets of opportunity for compromise by adversaries. These platforms allow businesses to communicate with customers and facilitate marketing and financial transactions. Adversaries target these types of software and products for various actions and objectives, including data and credential Exfiltration, manipulating or destroying files and data for Impact, exploiting and taking over websites for Resource Development, and installing and hosting malware for Execution in drive-by attacks. Popular CMS providers and developers include WordPress, Drupal, Joomla!, Adobe Commerce/Magento, and WooCommerce. The elevated risk profile for applicable organizations is based on the ubiquity of CMS-hosted sites and the severity and notoriety of known vulnerabilities and real-world compromises. Independent of the CMS provider or brand, if your organization owns or uses these products, prioritize security and hardening accordingly. Reports and observations show that adversaries leverage CMS-hosted assets to navigate across eight Tactics mapped to the ATT&CK framework. Specific ATT&CK Techniques for each of the observed tactics include the following: TA0042 – Resource DevelopmentT1584 – Compromise Infrastructure: CMS-hosted sites are compromised by botnet herders and cryptocurrency mining operations to expand bot and mining operations; cybercriminals upload malware to insecure CMS-hosted sites for drive-by web attacks. TA0001 – Initial AccessT1078 – Valid Accounts: CMS-hosted sites are known to be accessed and compromised via brute-forcing of previously stolen, weak, or default credentials. TA0002 – ExecutionT1203 – Exploitation for Client Execution: Plugins and extensions for CMS platforms are exploited by adversaries to enable various follow-on attacks, including code injection, credential harvesting, and access to data and files. TA0004 – Privilege EscalationT1068 – Exploitation for Privilege Escalation: Successful exploitation of CMS-hosted sites can allow adversaries elevated privileges and access, including administrator or owner-level access to read, write, or edit site settings, directories, or files. TA0006 – Credential AccessT1212 – Exploitation for Credential Access: Successful login attempts by threat actors, whether through brute-forcing or purchasing from the dark web, can validate administrator credentials for use against other systems for additional post-exploitation activity; exploitation of vulnerabilities in CMS plugins and extensions can expose administrator credentials. TA0009 – CollectionT1005 – Data from Local System: Access to CMS environments allows threat actors to read, write, or edit files and folders hosted on these sites. TA0011 – Command and ControlT1071 – Application Layer Protocol: Malicious or compromised CMS sites are used to receive and send instructions and code to other infected systems or for botnet communications. The following chart shows popular CMS platforms mapped to various ATT&CK Tactics. The chart also indicates associated threats, including malware, adversaries, and vulnerabilities, that pose risks to organizations running CMS platforms and software. Image Figure 1: Threat Actors, Malware, and ATT&CK Tactics Associated With CMS-Hosted Sites and Platforms Vulnerabilities and ThreatsCyber adversaries and researchers have demonstrated how CMS-hosted assets allow threat actors to accomplish numerous objectives, including establishing a foothold and resources for botnets and cryptocurrency mining; stealing valid credentials; uploading malicious code for malware delivery; and establishing compromised sites as Command and Control (C2) nodes for malware and ransomware deployment. Research and observed incidents of compromises involving CMS sites also validate Optiv gTIC’s long-standing assessment that threat actors will continue to exploit old vulnerabilities (i.e., vulnerabilities two or more years old) in popular software and services due to the continued demonstrable, proven exploit success over time. Excluding zero-day vulnerabilities and exploits, the gTIC’s research shows that adversaries scan for and exploit vulnerabilities across multiple CMS sites as quickly as 24 hours after disclosure for platforms like WordPress and up to a maximum of 10 days for other platforms like vBulletin and Adobe Commerce. Therefore, it is time-sensitive for enterprises to prioritize CMS-based assets to support a fundamental asset inventory and defense-in-depth program. Threats known to exploit or leverage CMS sites as part of their attack vectors include botnet and cryptocurrency miners like LuciferBot, Sysrv, Mushtik Botnet, XMRig, GootBot, CoinHive, and EnemyBot, and multiple malware and threat group operations, including ClearFake, Balada Injector, ShadowSilk, Andariel APT group, and TeslaCrypt. This is Likely due to the ubiquity of CMS-hosted sites across enterprises, their internet-facing position, and the opportunity for data exfiltration and drive-by malware delivery, making critical vulnerabilities in these products a key target for Resource Development, Initial Access, Execution, Credential Access, Exfiltration, and Command and Control. Improper security and authentication settings, like weak passwords or non-MFA-enabled access, contribute to threat actors’ ability to brute-force their way into login portals. The second common technique exercised against CMS sites is the exploitation of vulnerable and unsupported plugins and extensions. These plugins provide enhancements or features to CMS sites, such as fonts, timers, visit counts, and various other end-user experience enhancements. Individual or private developers create many plugins with no established maintenance, security, or communication processes. Once development is abandoned without formal notification, end users are exposed and at risk of exploitation from these end-of-life (EOL) plugins and extensions. Compromise and exploitation of CMS-hosted assets are assessed with High Confidence to be extremely attractive targets of opportunity due to the lack of centralized and established security measures or controls, as many CMS sites are privately managed by individuals or small organizations with a focus on content and user experience rather than security. This allows botnet herders and cryptocurrency mining campaigns to establish footholds on these sites to enable Resource Development and Impact techniques. Employees who maintain corporate assets and websites hosted on CMS platforms also expose their organizations to security risks through credential reuse across their CMS accounts, personal accounts, and/or corporate accounts. Compromised credentials captured by attackers from a CMS page can also be checked and used against corporate login portals or other sensitive systems. One of the most infamous sets of CMS attacks and vulnerabilities pertained to a series of critical vulnerabilities in Drupal dubbed “Drupalgeddon.” This event covers three distinct sets of vulnerabilities that affected millions of websites running Drupal. Drupalgeddon, tracked as CVE-2014-3704, was a critical SQL injection vulnerability disclosed in October 2014. In March 2018, “Drupalgeddon 2” was tagged to another critical vulnerability, CVE-2018-7600, exposing millions of Drupal-based websites to Remote Code Execution (RCE) attacks. “Drupalgeddon 3” was the name given to another vulnerability disclosed in April 2018, CVE-2018-7602. Automated scans for these vulnerabilities for possible exploitation began within hours of disclosure. These vulnerabilities were leveraged by botnet and cryptocurrency mining campaigns and exploited by hacktivists to deface vulnerable websites. There is limited reporting of state-sponsored threats targeting or leveraging CMS platforms as part of their attack patterns. Exceptions include the compromise and defacement of Ukrainian Government sites hosted on the October CMS platform (CVE-2021-32648) by Russia-backed cyberthreat groups in early 2022. The vulnerability also allowed attackers to gain access to, and control of, accounts by resetting credentials. It is Likely that this campaign gained notoriety primarily because it coincided with the early weeks of the Russian invasion of Ukraine, during which time higher-profile attacks involving destructive and wiper malware were utilized. Optiv’s gTIC emphasizes continued prioritization of patching and hardening efforts of CMS-hosted assets and credentials. Credential reuse is a common – and critical – security risk that can allow attackers access into multiple environments or assets. The reuse of credentials across both corporate internal accounts and CMS-hosted assets poses an operational security risk for organizations and users that manage CMS sites. The graphics below illustrate the Optiv gTIC’s Threat Actor Metric™ calculated for selected cyberthreats known to exploit or target CMS-hosted sites as part of their attacks (see Appendix: References for an explanation of the Threat Actor Metric™). Image Figure 2: Threat Actor Metric Score for ShadowSilk © 2025 Optiv Security Inc. All Rights Reserved Image Figure 3: gTIC Threat Actor Metric Score for Andariel APT © 2025 Optiv Security Inc. All Rights Reserved Appendix References MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2023 The MITRE Corporation. MITRE ATT&CK® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/. Optiv Threat Actor Metric™ – The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multifaceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function to the United States Department of Defense’s CARVER targeting scale. Link charts and graphs in this report were created by Optiv’s gTIC leveraging the ThreatQuotient® Investigations platform. In addition to Optiv’s own Enterprise Incident Management (EIM) team’s incident response engagements and analysis and other sensitive sources, the following references provided additional information for this blog post: https://x.com/sansecio/status/1806707201215439270https://wpscan.com/blog/new-malware-campaign-targets-wp-automatic-plugin/https://patchstack.com/articles/critical-elementor-pro-vulnerability-exploited/https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/anonplus-italia/https://www.securityweek.com/hacked-drupal-sites-deliver-miners-rats-scams/https://www.optiv.com/insights/discover/blog/cyber-operations-augmenting-russian-military-operationshttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/ Assessments and Probability StatementsThroughout this report, Optiv’s gTIC supplemented the information reported with analytic assessments, comments, probability statements, and estimative intelligence/forecasting. These comments also aim to define the probability and effects of potential adversary Future Operations (FUOPS). Due to the qualitative and subjective nature of intelligence and risk assessments, an explanation of the various statements and methodologies is provided here. Intelligence and Cyber Intelligence FrameworksMITRE ATT&CK: The framework developed by the MITRE organization that illustrates technical, endpoint-based activity and behaviors of threats and adversaries. Activities and behaviors are organized into 14 Tactics, which are further broken down into Techniques. A wide range of procedures are the actions and behaviors to achieve the Technique, while the Techniques are the actions to achieve the main Tactics. Optiv Threat Actor Metric™: The Optiv Threat Actor Metric™, developed by Optiv’s gTIC, is a multifaceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function to the U.S. DoD’s CARVER targeting scale. 5W+H: Information collected and analyzed is presented concisely, leveraging the reporting fundamentals of 5W+H (Who, What, Where, When, Why, How) where possible. A combination of multiple components of 5W+H supports relevant and timely information that will be interpreted and effectively analyzed into intelligence to support operations. Analytical Comments, Statements, and Best PracticesMost Likely Course of Action (MLCOA) – The expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments. Most Dangerous Course of Action (MDCOA) – Tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments. Words of Estimated Probability – Optiv’s gTIC employs the use of both probability statements for the likelihood of events or actions and confidence levels for analytic assessments and judgments. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the U.S.’s Office of the Director of National Intelligence (ODNI), and are as follows: Almost No Chance Very Unlikely Unlikely Roughly Even Chance Likely Very Likely Almost Certain(ly) Remote Highly Improbable Improbable (Improbably) Roughly Even Odds Probable (Probably) Highly Probable Nearly Certain 01-05% 05-20% 20-45% 45-55% 55-80% 80-95% 95-99% Confidence statements, as defined by the gTIC, apply to the reliability and relevance of information reported and are as follows: Confidence Level Optiv gTIC Definition Factors Quantitative Relevance High Confidence information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+ Moderate Confidence information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%(+/- 10%) Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness lack of established history or observations, unreliable or circumstantial evidence 35% Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart. By: Aamil Karimi Aamil Karimi has over 18 years of experience in the practice of intelligence analysis and reporting in the military (HUMINT and targeting) and the private sector in cybersecurity (threat and risk intelligence). His experience includes supporting incident response, threat research, serving as an architect for new intelligence services and products, spearheading CTI programs, and supporting CISO/enterprise security teams in building and expanding the threat intelligence capabilities for Fortune 500 companies and MSSPs. Prior to joining the cybersecurity field, Karimi spent six years in Afghanistan on active duty and civilian deployments supporting the U.S. Army, U.S. Air Force Office of Special Investigations, and U.S. Special Operations Command as a Principal Human Intelligence (HUMINT) Analyst and counterintelligence and targeting subject matter expert. Share: Source Zero® GTIC Vulnerability Management content management system platforms Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.