Ghost CMS Flaw Hijacks Websites

A critical Ghost CMS vulnerability is being used to hijack hundreds of websites, tricking visitors into installing malware via a fake verification step.

A large-scale malware campaign is exploiting a critical vulnerability in the Ghost Content Management System. Over 700 legitimate websites, primarily in the education and technology sectors, have been compromised. The attackers inject malicious code into these sites, which then displays a fake Cloudflare verification page to visitors. This page uses social engineering to convince users they need to perform a manual check. It instructs them to copy and paste a command into their Windows system, which they are told will fix a "ClickFix" error. In reality, this command downloads and executes malware, giving attackers access to the victim's machine.

This campaign highlights the significant risk posed by unpatched vulnerabilities in popular software. The attack's success relies on a clever combination of a technical exploit and social engineering. By impersonating a trusted service like Cloudflare, attackers lower the guard of even technically savvy users. The "ClickFix" branding adds a layer of false legitimacy to the malicious instructions. This incident is a critical alert for any organization using Ghost CMS, as well as for IT and security teams responsible for protecting their users from sophisticated malware delivery tactics. It demonstrates how a single vulnerability can be weaponized to compromise a wide range of websites and their visitors.