Clarification and Inquiry Regarding Recent Security Advisory

Hi Guys and UNACMS Team

I hope you’re all doing well and thank you for the recent Security Advisory - Critical Vulnerability update. I truly appreciate the transparency and quick response from the UNA team in keeping the community secure.

While reviewing server activity, I noticed suspicious behavior consistent with webshell probing — specifically attempts targeting various PHP scripts that align with the structure of a known backdoor: https://github.com/Caesarovich/rome-webshell. The attacker appeared to test several likely file paths, many resulting in 404s.

This left me wondering:

  • Was the recent advisory in any way related to or exploited using this tool (or similar webshells)?
  • Would it be helpful for the UNA team if I reported the related GitHub repository as potentially harmful (given its distribution of an obfuscated, uploadable PHP webshell)?

I only ask to help in any way I can — both as a concerned site operator and supporter of your open-source mission. If there's a preferred process for threat reporting or sharing logs, I'm happy to follow it.

Thanks again for your tireless work. Looking forward to your insights!

Kind egards,

Chris

GitHub - Caesarovich/rome-webshell: A powerful and delightful PHP WebShell
Security Advisory: Critical Vulnerability in UNA CMS Versions Prior to 14.0.0-RC5
  • View
    628
  • More
Replies (4)

    • There are a lot of some bots in the Internet which are constantly checking websites for various known vulnerabilities, others also targets SSH with some common password, WordPress websites for known vulnerabilities, and so on. You can often see such attempts in server logs. You are safe as long as you see they just an attempts and not not real hack attempt of the known vulnerability.

      Generally you shouldn't worry if you are using common recommendation with general security practice (like using up to date software, use different and strong passwords, store them in safe place, use firewalls, use good Antivirus software, etc.)

      • @Alex T⚜️ We Got Hacked. Here's What I Learned the Hard Way.

        But I just want to say thank you for your input and advise first...

        Truth is, we went through a nightmare recently. A hacker got into our system and made us feel like fools. We’d delete his PHP files from our public folder, thinking we’d cleared the threat… only to be hit again 5–10 minutes later — same Halloween-style defacement screen, again and again. It became a joke. A painful one.

        We were running UNA 14.0.0-RC3, and honestly, it had served us well. It was stable and we never bothered upgrading. That was our first mistake. We got comfortable. Too comfortable. And when this attack hit, we realized just how exposed we were.

        No antivirus or external scan fixed it. This wasn’t some basic malware. It was a real person — someone who knew how to move through open-source code and take advantage of lazy configurations or old habits.

        I remember watching a movie years ago — about a rich tycoon with the best IT minds on his payroll. Yet his empire crumbled in seconds because his team used open-source code they didn’t bother to harden or secure. That story came back to me with a vengeance. Now I get it.

        When we rely on something like UNA CMS — powerful as it is — we need to remember: we’re also part of the defense. The open nature of it means tech-savvy people (some with good intentions, some not) are always poking around. If we don’t do our part, the cracks show.

        We shut down logins and registration to try and isolate the threat. That gave us time to track weird PHP files and watch our URL logs for anything odd. And yes, we found signs. Fingers pointing to a specific IP. Someone was having a field day — and we were the playground.

        But here's what I want to say to others running a commercial UNA site:

        • Have a backup server ready. Seriously. Something that can take over fast.
        • Don’t wait on updates. Upgrade when the core team tells you it’s stable.
        • Watch your logs like your life depends on it. Sometimes, it kind of does.
        • Plan for worst-case scenarios. A site takedown can be more than embarrassing — it can shake the trust of your whole community.

        Eventually, UNA 14.0.0 (stable) helped us get back on our feet. But it took effort, testing, and more pressure than I’d ever want to face again.

        We love this platform. We believe in it. But we also learned: never let your guard down. You may not get a second chance to recover like we did.

        To anyone out there — especially those who lead platforms like we do — don’t wait for the storm. Prepare now.

        Stay safe. Stay sharp....

        Regards

        Chris

        • it looks like you we hacked because of this vulnerability - https://unacms.com/p/security-advisory-critical-vulnerability

          it's better to restore the site from backup before your site was hacked, since cleaning it up is very tedious task and you can't always be sure that you cleaned up everything.

          • Hey @Alex T⚜️ , It was a business decision one can say, cause the damage done was only to script files and sometimes the tedious work has to be done considering other factors.

            Login or Join to comment.