Ghost CMS Vulnerability Exploited in Large-Scale ClickFix Campaign Affecting Hundreds of Sites
- May 25
- 4 min read
Key Findings
Attackers are actively exploiting CVE-2026-26980, a patched SQL injection flaw in Ghost CMS, to compromise over 700 unpatched websites
The vulnerability allows unauthorized access to admin API keys, enabling attackers to inject malicious JavaScript into published articles
Compromised sites are being weaponized to deliver ClickFix attacks, tricking users into running malicious commands via fake CAPTCHA pages
Affected organizations include universities, media outlets, technology blogs, and sites associated with Harvard, Oxford, and DuckDuckGo
At least two separate threat groups are conducting the campaign, sometimes targeting the same sites within hours of each other
The malware payloads include persistence mechanisms and communicate with command servers to execute arbitrary instructions
Background
CVE-2026-26980 is an SQL injection vulnerability in Ghost CMS's Content API that was publicly disclosed and patched in February 2026. Despite the fix being available for months, a substantial portion of Ghost installations remained unpatched, creating a window of opportunity for attackers. Qianxin researchers first detected active exploitation of this vulnerability in early May 2026, discovering it was being used as part of a coordinated campaign affecting hundreds of sites across multiple sectors.
The Vulnerability and Initial Compromise
The flaw exists in Ghost's Content API and allows unauthenticated attackers to read arbitrary data from the database. In the worst case scenario, this exposure includes the admin API key, which is the most critical credential in Ghost. Armed with the admin API key, attackers can directly modify published content on affected sites without needing legitimate login credentials. The speed of exploitation was notable, with the malicious code found in this campaign bearing a compilation date of February 16, the same day Ghost announced the fix.
Attack Chain and Infection Method
The campaign follows a sophisticated five-stage process. Attackers first scan for vulnerable Ghost installations, then extract the admin API key through the SQL injection flaw. They use this key to bulk-inject malicious JavaScript loaders into articles at the bottom of pages. When visitors load these compromised pages, the injected code triggers a two-stage loading process that checks browser fingerprints and determines whether to serve content to the actual visitor or to security scanners. Real victims are redirected to a fake CAPTCHA verification page designed to appear legitimate.
The ClickFix Social Engineering Attack
The injected JavaScript eventually presents users with what appears to be a standard verification prompt asking them to prove they are human. The page instructs victims to press Windows+R, copy and paste a Base64-encoded command, and press Enter. This command downloads and executes a ZIP archive containing batch scripts and PowerShell commands that download and run malware payloads. The attack leverages user trust in what appears to be an official verification process, making them unwitting participants in their own compromise.
Payload Delivery and Persistence
The final payloads have evolved throughout the campaign. Early iterations distributed a DLL file that is a signed copy of the PuTTY SSH client, which when executed uses rundll32.exe to load malware functionality. Later versions replaced the DLL with JavaScript payloads that drop Windows executables. Subsequent samples included an Inno Setup installer for a modified Electron application based on the open-source Grape desktop client. This application establishes persistence on infected machines and polls a remote server every 30 seconds to receive and execute commands from attackers, allowing them to run arbitrary JavaScript or executable files.
Scale and Scope of the Campaign
Qianxin identified more than 700 poisoned domains across a wide range of sectors. Roughly half are personal blogs or independent websites, but the campaign also affected technology blogs, AI-focused sites, media outlets, cryptocurrency projects, and educational institutions. The researchers proactively contacted site owners when possible to notify them of the poisoning. The presence of legitimate, high-authority websites in the compromise list makes the ClickFix attacks more effective because users are more likely to trust verification prompts on well-known domains.
Multiple Threat Groups and Competition
Evidence suggests at least two separate threat groups are conducting poisoning operations as part of this campaign. In some cases, the same site was compromised multiple times with different malicious code injected by different attackers, indicating these sites had become attractive targets for multiple groups. This competition for the same infrastructure makes cleanup more difficult for site owners and demonstrates the value attackers place on these compromised platforms.
Infrastructure and Flexibility
The attack infrastructure was designed to be adaptable and resilient. The two-stage loading mechanism uses Adspect, a commercial cloaking service, to ensure security scanners and crawlers see benign content while real victims are served the attack payload. The cloaking script collects browser fingerprints and supports 19 different commands for remote browser control. When parts of the infrastructure were detected and blocked, attackers switched domains to keep the campaign operational, demonstrating active management and monitoring of their operation.
Recommendations for Site Owners and Users
Ghost CMS administrators should immediately update to the latest patched version and rotate all credentials, particularly admin API keys. Site logs should be reviewed for any suspicious admin API activity that might indicate unauthorized access. Injected malicious scripts must be removed from the database itself rather than just from the visual editor to prevent reinfection. Site owners should also contact users who may have visited their sites during the compromise period to warn them of potential malware infection. For end users, anyone who may have visited a compromised site should be cautious of any system changes or unusual activity and consider running security scans.
Sources
https://securityaffairs.com/192655/cyber-crime/ghost-cms-flaw-abused-to-push-clickfix-attacks-on-hundreds-of-sites.html
https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html

Comments