A recent cybersecurity breach has targeted over 700 websites, exploiting a vulnerability in the Ghost content management system (CMS). This flaw, which was patched earlier this year, has enabled hackers to infiltrate sites, including those of major organizations, as reported by the Chinese cybersecurity firm Qianxin.
Details of the Exploited Vulnerability
The vulnerability in question is known as CVE-2026-26980. It was initially identified and addressed in February. Ghost, an open-source CMS frequently used for blogging and publishing, is actively employed by more than 100,000 websites globally. Despite the patch, the flaw has allowed unauthorized attackers to execute an SQL injection, enabling them to access sensitive data from the Ghost database.
Security experts from SentinelOne warned that this vulnerability could allow attackers to retrieve authentication tokens, user credentials, and other sensitive content from affected websites. This warning has now materialized into real-world attacks, as Qianxin observed a surge in exploits against unpatched Ghost installations.
Impact and Scope of the Attack
The attackers utilized the vulnerability to capture the Admin API Key of targeted sites, subsequently using this access to modify articles with malicious JavaScript loaders intended for ClickFix attacks. The breach was first noticed in early May, with timestamps from a DLL file used in the attacks dating back to February 16, coinciding with the patch release date.
Qianxin has identified more than 700 websites compromised by these attacks, including those belonging to prominent organizations such as DuckDuckGo, Harvard University, and Oxford University. A significant portion of the affected sites are personal blogs, but many others are associated with tech, AI, and cryptocurrency sectors.
Response and Ongoing Concerns
Qianxin has made efforts to notify the victims of these cyber attacks. However, many of these alerts have gone unanswered. The firm noted that at least two distinct groups are actively engaging in these exploitations, sometimes even competing with each other by deploying different malicious codes on the same day.
The continued exploitation of this vulnerability underscores the importance of timely updates and patch management for CMS platforms like Ghost. Organizations are advised to ensure their systems are patched promptly to mitigate such risks.
The incident highlights the persistent threat of cyber vulnerabilities and the need for ongoing vigilance and rapid response strategies to protect online assets and sensitive information.
