Ghost CMS Sites Mass-Hacked in Widespread ClickFix Cybercrime Wave
3 min read
Certainly, a major cyberattack is targeting websites using Ghost CMS. Moreover, attackers are exploiting a critical SQL injection flaw to take control of sites. Furthermore, this flaw lets them steal secret keys and add malicious code. Consequently, over 700 domains, including university and company sites, have been compromised.
Specifically, the malicious code runs a ClickFix attack on visitors. Essentially, it tricks them into running a harmful command on their computer. Therefore, it can install dangerous malware on their systems. Importantly, a security fix is available, but many sites have not installed it yet.
Hence, administrators must update their Ghost CMS software immediately. Additionally, they should change all their secret keys. Likewise, they need to carefully check their websites for leftover malicious code to protect their visitors.
| Aspect | Details | Key Information |
|---|---|---|
| Vulnerability | SQL Injection in Ghost CMS (CVE-2026-26980) | Affects versions 3.24.0 through 6.19.0; allows unauthenticated attackers to read arbitrary database data, including admin API keys. Patched in version 6.19.1 (Feb 19, 2026). |
| Attack Chain | Exploitation → JavaScript injection → ClickFix lure | Attackers steal admin API keys via SQLi, inject malicious JS into articles. A cloaking script fingerprints visitors; qualifying targets see a fake Cloudflare prompt instructing them to paste a malicious command. |
| Payloads Delivered | Multiple malware types deployed post-click | Includes DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe. Different activity clusters sometimes re-infect or overwrite each other’s scripts. |
| Campaign Scale | 700+ compromised domains across diverse sectors | Victims include Harvard University, Oxford University, Auburn University, DuckDuckGo, plus AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. |
| Mitigation Actions | Upgrade, rotate keys, audit, and monitor | Upgrade to Ghost 6.19.1+, rotate all previously used admin API keys, review sites for injected scripts using published IoCs, and maintain 30-day admin API call logs for retrospective investigation. |
Ghost CMS SQL Injection Flaw Exploited
Widespread Exploitation Across Critical Sectors
This indicates a critical SQL injection flaw (CVE-2026-26980) is being exploited. Consequently, over 700 domains have been compromised. Moreover, the attack targets diverse organizations including universities and tech firms. Similarly, it injects malicious code to trigger ClickFix scams. Thus, administrators must update Ghost CMS and rotate all keys immediately.
“Despite the patch being available since February, threat actors continue to actively exploit this vulnerability, highlighting a critical gap in patch adoption.”
Ultimately, update Ghost CMS now. In conclusion, this flaw allows attackers to inject code. Looking ahead, we must prioritize timely updates. As a result, many sites remain vulnerable. Therefore, rotate all exposed API keys. Thus, monitor your admin logs. Hence, protect users from ClickFix scams. In summary, patch immediately to version 6.19.1. To conclude, safeguard our digital communities. Finally, employ strong security habits. Accordingly, we can prevent future attacks.
Ultimately, this campaign shows how a known vulnerability can cause widespread harm. Therefore, many organizations and their users are at risk. Consequently, the attack demonstrates a failure to apply timely security updates.
Thus, all Ghost CMS administrators must upgrade to the patched version immediately. Accordingly, they should also rotate their API keys and review their site content. In summary, regular updates and security checks are essential for protection.
