Multiple Websites Hacked Via Ghost CMS Vulnerability Exploit
Vulnerability in Ghost Content Management System Exposed Hundreds of Sites to Hacking
In a recent wave of attacks, over 700 websites, including those belonging to prominent organizations like DuckDuckGo and Harvard University, were compromised due to a previously patched vulnerability in the popular open-source content management system (CMS) Ghost.
Attack Details
Chinese cybersecurity firm Qianxin discovered that the exploit, tracked as CVE-2026-26980, had been used to inject malicious code into vulnerable sites, altering articles and stealing sensitive data.
- The vulnerability, an SQL injection flaw, allowed unauthenticated attackers to extract authentication tokens, user credentials, and website content.
- Initially disclosed in February, the issue was patched soon after, but threat actors managed to exploit it before the fix was applied.
Critical Findings
Qianxin reported that they started observing compromised websites in early May, with the attackers leveraging the vulnerability to steal the Admin API Key and then modifying articles on Ghost-powered sites.
- The malicious code used in the attacks was dated back to February 16, the same day the patch was announced.
- At least two groups were actively exploiting the vulnerability, with some sites becoming targets of a competition between the two groups, resulting in multiple rounds of malware injections within a short period.
- A vast majority of the affected websites did not respond to their notifications, leaving them exposed to further attacks.
Lessons Learned
The incident highlights the importance of prompt patch application and regular security updates for critical systems like content management platforms. It also underscores the need for organizations to stay vigilant and proactive in addressing potential vulnerabilities, especially when they have significant exposure and impact on the digital landscape.