Ethical Hacking News
In a significant security incident, Ghost CMS has been targeted by a large-scale ClickFix campaign exploiting a critical SQL injection vulnerability. Over 700 domains were affected, including several prominent institutions and well-known websites. The attackers used this exploit to inject malware into articles, targeting users through fake prompts. A fix for the issue was released on February 19, but many sites failed to apply it in time.
Ghost CMS version 3.24.0 through 6.19.0 has a critical SQL injection vulnerability (CVE-2026-26980) that allows unauthenticated attackers to read arbitrary data from the website's database. The attack can be exploited by stealing admin API keys, injecting malicious JavaScript into articles, and deploying malware payloads. Website administrators are advised to upgrade to version 6.19.1 or later, rotate all previously used keys, and review infected websites for injected scripts. Maintaining a 30-day record of admin API call logs can aid in retrospective investigations and improve website security.
In a recent revelation, Chinese cybersecurity company Qianxin's XLab threat intelligence researchers have revealed that a critical SQL injection vulnerability (CVE-2026-26980) in the popular content management system (CMS), Ghost CMS, was exploited on a large scale through a campaign dubbed ClickFix. This attack, which targeted over 700 domains including prominent institutions like Harvard University, Oxford University, Auburn University, and DuckDuckGo, has highlighted the need for website administrators to prioritize timely software updates and robust security measures.
CVE-2026-26980 impacts Ghost CMS versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to read arbitrary data from the website's database, including admin API keys. These key holds significant power as it gives management access to users, articles, and themes, which can be exploited to modify article pages.
Despite the release of a fix for the issue on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update. This has led XLab researchers to warn website administrators about the severity of this vulnerability and the importance of taking proactive measures to protect their websites from such attacks.
The attack chain observed by XLab's researchers begins with exploiting CVE-2026-26980 to steal admin API keys, which are then used to inject malicious JavaScript into articles. This JavaScript code is a lightweight loader that fetches second-stage code from the attacker's infrastructure. Once visited by a legitimate user, these users are presented with a fake Cloudflare prompt loaded via an iframe on top of the article page, which contains the ClickFix lure.
The lure instructs victims to verify that they are human by pasting a provided command in their Windows command prompt, resulting in the deployment of malware payloads. These payloads include DLL loaders, JavaScript droppers, and Electron-based malware samples such as UtilifySetup.exe.
Given the broad impact of this attack on prominent institutions and other notable domains, XLab's researchers recommend that website owners upgrade to version 6.19.1 or later and rotate all keys used previously due to potential exposure. A thorough review of infected websites is also advised to locate and remove injected scripts. Furthermore, maintaining a 30-day record of admin API call logs can aid in retrospective investigations.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Ghost-CMS-SQL-Injection-Flaw-A-Large-Scale-ClickFix-Campaign-ehn.shtml
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/
https://nvd.nist.gov/vuln/detail/CVE-2026-26980
https://www.cvedetails.com/cve/CVE-2026-26980/
Published: Sun May 24 09:51:40 2026 by llama3.2 3B Q4_K_M
