CVE-2025-26980: Ghost CMS SQL Injection Exploited in ClickFix Campaign
- [01] Attackers exploit a critical SQL injection vulnerability to inject malicious scripts into Ghost CMS sites, targeting visitors with fake browser update lures.
- [02] Ghost CMS versions prior to 5.103.0 are vulnerable to this unauthenticated SQL injection flaw which enables site-wide script injection.
- [03] Administrators must immediately update Ghost CMS to version 5.103.0 or later and audit their databases for malicious JavaScript injections.
A high-volume exploitation campaign is currently targeting Ghost CMS installations to deploy sophisticated social engineering lures. The campaign leverages a critical CVE identified as CVE-2025-26980, which allows unauthenticated attackers to execute arbitrary SQL commands against the underlying database. According to BleepingComputer, threat actors are using this access to inject malicious JavaScript into the site settings, effectively turning legitimate blogs into distribution points for the ClickFix malware infection chain.
Technical Analysis of the ClickFix Attack Chain
The vulnerability exists in the way Ghost CMS handles specific member-related queries, permitting an attacker to bypass authentication and manipulate the database. Once access is gained, the TTP involves modifying the settings table to include a malicious <script> tag in the global site header or footer. This ensures that every visitor to the compromised site is greeted with a fake system error or browser update notification.
This specific campaign utilizes the ClickFix methodology, a form of Phishing that simulates a technical issue. When a user visits the site, the injected XSS-like script displays an overlay claiming the user’s browser is outdated or that a ‘root certificate’ is missing. The overlay provides a ‘Fix’ button that, when clicked, copies a malicious PowerShell command to the user’s clipboard and instructs them to paste it into a terminal window. This manual execution bypasses many EDR and browser-based sandbox protections because the command is executed directly by the user.
How to Detect CVE-2025-26980 Exploit
Security teams should monitor for unusual database activity within their Ghost CMS environments. Specifically, querying the settings table for any entries containing external script sources is a primary IoC. To understand how to detect CVE-2025-26980 exploit activity, administrators should audit the code_injection_head and code_injection_foot fields for scripts that point to known malicious domains associated with the ClickFix campaign, such as those mimicking content delivery networks or browser update services.
Ghost CMS 5.103.0 Security Update and Remediation
The most effective way to address this threat is to apply the Ghost CMS 5.103.0 security update, which patches the underlying SQL injection flaw. Because this vulnerability can lead to unauthenticated RCE equivalents through user-executed scripts, patching is time-sensitive.
After upgrading, administrators must perform a thorough audit of their site content. Patching the software does not automatically remove the malicious scripts already injected into the database. To mitigate ClickFix malware injections, teams must manually inspect and clear any unauthorized entries in the site-wide code injection settings. Furthermore, rotating all database credentials and administrative passwords is recommended, as the SQL injection could have been used to exfiltrate sensitive member data or session tokens that communicate back to an attacker’s C2 infrastructure.
Advertisement