Skip to main content
Emerging ThreatsMalware & Ransomware

Ghost CMS SQL flaw fuels large-scale ClickFix attacks

Laptop screen displays website homepage amidst papers and coffee cups in a busy workspace.

More than 700 domains were confirmed impacted in a large-scale campaign that exploited a critical SQL injection vulnerability in Ghost CMS, researchers report.

CVE-2026-26980 and affected Ghost versions

The vulnerability tracked as CVE-2026-26980 affects Ghost versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to read arbitrary data from a site’s database, including admin API keys. Ghost released a patch on February 19 in version 6.19.1; however, many sites failed to install the security update and remained vulnerable.

XLab discovery and the scope of infection — 700+ domains and named sites

The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains. XLab reported that threat actors planted malicious code on sites including Harvard University, Oxford University, Auburn University, and DuckDuckGo, and also affected university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.

How the ClickFix attack chain works

XLab’s analysis describes a repeatable chain: attackers exploit CVE-2026-26980 to extract admin API keys from the Ghost database, then use those credentials to inject malicious JavaScript into article pages. The injected script is a lightweight loader that fetches a second-stage component from attacker infrastructure. That second-stage code acts as a cloaking script that fingerprints visitors and serves malicious content only to those who satisfy the actor’s checks.

Visitors who pass the fingerprinting are shown a fake Cloudflare prompt presented via an iframe over the article. The fraudulent page instructs victims to “verify that they are human” by pasting a provided command into the Windows command prompt. Executing the command drops a payload on the victim’s system.

Payloads observed and actor behavior: re-infection and competitive cleaning

Researchers observed multiple payload types delivered through this flow, including DLL loaders, JavaScript droppers, and an Electron-based malware binary named UtilifySetup.exe. SentinelOne published additional technical details and detection guidance on February 27, corroborating active exploitation in the wild.

XLab identified at least two distinct activity clusters targeting vulnerable Ghost sites. These clusters sometimes re-infected the same domains with different scripts after cleanup, and XLab observed cases where one cluster removed another’s injected script in order to install its own.

Mitigation: upgrade, rotate keys, review IoCs and keep logs

XLab’s primary recommendations for Ghost CMS website administrators are explicit: upgrade to Ghost version 6.19.1 or later and rotate all admin API keys that were in use previously, since those keys may have been exposed. XLab also provided a list of indicators of compromise (IoCs), including the injected scripts, and advised thorough reviews of sites to locate and remove malicious code.

Additionally, XLab recommends that website owners maintain a 30-day record of admin API call logs to enable reliable retrospective investigation of compromises and abuse.

What Ghost CMS administrators, site visitors, and security teams should watch

  • Ghost CMS administrators: confirm running Ghost 6.19.1 or later, rotate any previously used admin API keys, and scan article pages for injected JavaScript shown in published IoCs.
  • Site visitors and general users: be wary of Cloudflare-branded prompts inside pages and avoid executing copy-paste commands from web pages into the Windows command prompt, which XLab observed as the delivery mechanism for payloads in this campaign.
  • Security teams and incident responders: consult the IoCs published by XLab, review admin API call logs (the researchers recommend at least 30 days of retention), and consider the re-infection patterns XLab reported — multiple actor clusters have targeted the same domains and sometimes replace each other’s scripts.

The campaign underscores a familiar dynamic: a patched vulnerability (released February 19) continued to be abused at scale when many sites did not update, and attackers chained database access to persistent content injections that weaponize trusted pages to deliver malware. For defenders, the immediate work is straightforward and urgent—update, rotate, and hunt; for site visitors, the concrete signal is simple—do not paste and run commands supplied by web prompts.

Original story: https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/