Ghost CMS SQL Injection Flaw Exploited in Large‑Scale ClickFix Campaign

May 25, 2026 Faeem BLOGS 0

Overview

A critical SQL injection vulnerability (CVE‑2026‑26980) in Ghost CMS has triggered a large‑scale exploitation campaign known as ClickFix, compromising more than 700 domains worldwide. Discovered by XLab Threat Intelligence at Qianxin, the campaign targets websites across education, AI/SaaS, fintech, media, and cybersecurity sectors — including portals belonging to Harvard, Oxford, Auburn University, and DuckDuckGo.

Key Highlights

  • Vulnerability affects Ghost CMS versions 3.24.0 – 6.19.0.
  • Allows unauthenticated attackers to read arbitrary database data, including admin API keys.
  • Attackers use stolen keys to inject malicious JavaScript into article pages.
  • Exploited sites serve fake Cloudflare verification prompts that deliver malware via ClickFix flows.
  • Payloads include DLL loaders, JavaScript droppers, and an Electron‑based malware sample (UtilifySetup.exe).

Attack Chain

  1. Exploit CVE‑2026‑26980 to steal admin API keys.
  2. Use elevated privileges to inject malicious JavaScript into Ghost articles.
  3. The injected script loads a second‑stage cloaking code that fingerprints visitors.
  4. Qualified targets see a fake Cloudflare iframe prompt asking them to paste a command in Windows CMD.
  5. Executing the command drops malware onto the victim’s system.

Researchers observed multiple threat clusters, sometimes re‑infecting cleaned domains or overwriting rival scripts — a sign of competing attacker groups exploiting the same flaw.

Impact

The campaign demonstrates how CMS vulnerabilities can escalate into mass exploitation across trusted domains. Attackers gain full administrative control, modify content, and distribute malware directly from legitimate websites — eroding user trust and enabling credential theft, crypto mining, and espionage.

Defensive Guidance

Administrators should act immediately:

  • Upgrade Ghost CMS to v6.19.1 or newer.
  • Rotate all admin API keys used before patching.
  • Review injected scripts and clean compromised pages.
  • Maintain 30‑day admin API logs for retrospective analysis.
  • Monitor for ClickFix payloads across article templates.

Final Thought

The ClickFix campaign underscores the urgency of timely patching and key rotation in open‑source platforms. Even a single outdated CMS instance can become a malware distribution hub. For defenders, proactive vulnerability management and continuous monitoring are the only ways to stay ahead of exploitation waves.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.