Ethical Hacking News
Ghost CMS users have been warned: a previously patched vulnerability has been abused to push ClickFix attacks on hundreds of sites, including universities and well-known organizations. The attack highlights the importance of keeping software up-to-date and implementing robust security measures.
Hackers have exploited a previously patched vulnerability in Ghost CMS, allowing them to read data from the database without logging in.The campaign has already affected over 700 sites, including well-known organizations and universities, using ClickFix attacks.The attackers used a five-stage characteristic to gain unauthorized access to the database and inject malicious JavaScript code into website pages.Security experts are urging site owners to update their software immediately, rotate credentials, review logs, and remove injected scripts.The Ghost CMS flaw abuse campaign highlights the importance of keeping software up-to-date and implementing robust security measures.
In a recent turn of events, hackers have successfully exploited a previously patched vulnerability in the popular content management system (CMS) Ghost. The flaw, designated as CVE-2026-26980, is an SQL injection issue that allows attackers to read data from the database without logging in. This vulnerability has been actively abused by threat actors to push ClickFix attacks on hundreds of sites, including well-known organizations and universities.
The campaign, which has already affected over 700 sites, is a prime example of how hackers can capitalize on previously patched vulnerabilities. The attackers, who are believed to be part of an in-the-wild attack group, have used the vulnerability to gain unauthorized access to the database and inject malicious JavaScript code into the website's pages.
According to Qianxin, the researchers behind the discovery, the campaign has a five-stage characteristic: "CMS Takeover," "Page Poisoning," "Two-stage Loading," "Social Engineering Lure (FakeCaptcha/ClickFix)," and "Malware Delivery." The entire process is highly automated, involving bulk vulnerability scanning, automatic key extraction, bulk injection, and dynamic C2 distribution.
The attackers have also been known to switch domains after detection, keeping the campaign alive even when part of the chain was blocked. This level of sophistication and persistence highlights the importance of keeping software up-to-date and implementing robust security measures.
Ghost CMS is widely used by bloggers, media outlets, and educational institutions, making it a prime target for hackers. The fact that some sites have been hit more than once, with one attacker replacing the code left by another, makes the campaign harder to clean up and shows how attractive compromised Ghost sites have become for abuse.
In light of this attack, security experts are urging site owners to update their software immediately, rotate all credentials, review site logs for suspicious admin API activity, and remove any injected scripts from the database itself. Visitors who may have reached a poisoned site should also be warned about the potential risks.
The report includes Indicators of Compromise (IoCs) for the attacks observed by the researchers, which can be used to help identify affected sites and prevent future attacks.
The Ghost CMS flaw abuse campaign is a stark reminder of the importance of keeping software up-to-date and implementing robust security measures. It also highlights the need for site owners to be vigilant in monitoring their website's activity and taking swift action to address any suspicious activity.
In conclusion, the Ghost CMS flaw abuse campaign is a significant threat to websites that use this popular CMS. By understanding the tactics used by hackers and taking proactive steps to secure our online presence, we can reduce the risk of falling victim to such attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Ghosting-Behind-the-Veil-Uncovering-the-Ghost-CMS-Flaw-Abuse-Campaign-ehn.shtml
https://securityaffairs.com/192655/cyber-crime/ghost-cms-flaw-abused-to-push-clickfix-attacks-on-hundreds-of-sites.html
https://nvd.nist.gov/vuln/detail/CVE-2026-26980
https://www.cvedetails.com/cve/CVE-2026-26980/
Published: Mon May 25 14:16:14 2026 by llama3.2 3B Q4_K_M
