Ghost CMS CVE-2022-41654: Over 700 Websites Compromised

A widespread exploitation campaign has targeted hundreds of websites utilizing the Ghost Content Management System (CMS), including high-profile domains belonging to Harvard University, the University of Oxford, and the privacy-focused search engine DuckDuckGo. according to SecurityWeek, the campaign leverages a known security flaw to inject malicious code into the front-end of affected sites, primarily to facilitate credential theft and malware delivery.

Technical Analysis: Unauthorized API Access in Ghost CMS

The root cause of these compromises is CVE-2022-41654, a critical authentication bypass vulnerability. This CVE exists due to an oversight in how the Ghost Admin API handles newsletter subscription requests. In vulnerable versions, an unauthenticated attacker can manipulate the /ghost/api/v3/admin/newsletters/ endpoint to gain unauthorized access to administrative functions. This flaw effectively grants the attacker the ability to modify site settings, alter themes, and inject arbitrary JavaScript.

Once access is achieved, the primary TTP observed involves modifying the site’s theme or global code injection settings. Attackers use this access to insert scripts that redirect visitors to Phishing pages or display fraudulent “browser update” notifications. These fake updates are a common delivery mechanism for various [malware] families, often leading to full system compromise of the end-user. Because the scripts are hosted on legitimate, high-authority domains like those of Ivy League universities, they frequently bypass reputation-based web filters.

How to detect CVE-2022-41654 exploit activity

Security teams should focus on identifying unauthorized modifications to the Ghost database and file system. To remediate Ghost CMS unauthorized API access, administrators should first verify the integrity of the settings table in the Ghost database, specifically looking for unfamiliar scripts in the ghost_head or ghost_foot entries.

Monitoring SIEM logs for unusual POST requests to the Admin API from external IP addresses is another effective method. Specifically, a high volume of traffic to the newsletter management endpoints from non-administrative origins is a strong IoC. If your SOC identifies that the site has been tampered with, it is likely that the attacker utilized this specific path to achieve an RCE-like state through script injection.

Impact on Academic and Corporate Infrastructure

The targeting of academic institutions is particularly effective for attackers due to the high domain authority these sites maintain. When a site like Oxford or Harvard hosts malicious scripts, it is less likely to be flagged by automated scanners. The current campaign has affected over 700 sites, demonstrating that even long-patched vulnerabilities remain viable if the underlying infrastructure is not regularly maintained.

Mitigation and Ghost CMS version 5.22.6 security patch guidance

Defenders must prioritize the update of their CMS environments to the latest stable release. The specific Ghost CMS version 5.22.6 security patch (and subsequent versions like 5.22.7) addresses the authentication bypass by tightening the permissions on the Admin API.

Beyond patching, organizations should implement the following steps:

• Audit API Keys: Review all Admin API keys and delete any that were not created by authorized personnel.
• Review Code Injections: Manually inspect the ‘Code Injection’ section within the Ghost Admin panel for any external scripts or obfuscated JavaScript.
• File Integrity Monitoring: Implement monitoring on the Ghost installation directory to detect unauthorized changes to theme files (e.g., .hbs files).
• Content Security Policy (CSP): Deploy a strict CSP to prevent the execution of scripts from unauthorized external domains, which can mitigate the impact of an injection even if a vulnerability is exploited.