Ghost CMS and ClickFix: The Web Trap Your Staff Will Fall For
Over 700 websites were compromised last week and turned into traps. Not to steal data from those sites directly. To ambush your staff.
The vulnerability was in Ghost CMS (CVE-2026-26980). Attackers exploited it to inject malicious JavaScript across hundreds of legitimate websites. The sites looked normal. The owners had no idea. And the payload was something called ClickFix.
This is the threat that matters most to UK small businesses this week. Not because you run Ghost CMS. Because your staff visit websites that do.
What ClickFix Actually Is
ClickFix is a social engineering technique, not a piece of malware in its own right. It is a delivery mechanism. The attack works like this.
You land on a compromised but otherwise legitimate website. A fake CAPTCHA appears, or a browser error message. The message instructs you to press Windows+R to open the Run dialog, then paste a command to βfixβ the problem. The command is not a fix. It executes malware with the permissions of the logged-in user.
The social engineering is effective because it is plausible. Browser errors are real. CAPTCHAs are normal. The instruction to βpress Windows+Rβ sounds technical enough to seem legitimate to someone without a security background. And it bypasses most perimeter controls entirely, because the attack runs inside a legitimate browser session, initiated by a human.
Researchers at QiAnXin XLab identified the current campaign. The Ghost CMS flaw (CVE-2026-26980) gave attackers the ability to inject this JavaScript into affected sites without authentication. More than 700 sites were confirmed compromised.
Why Your Patch Status Is Irrelevant Here
This is the detail that matters. Your business almost certainly does not run Ghost CMS. That is not the point.
The attack chain does not require you to have a vulnerable system. It requires one of your employees to visit a website that someone else failed to patch. The compromise happened elsewhere. The payload lands on your network.
This is supply chain risk at its most practical level. It is not about your software. It is about the software of every site your team visits in a working day: trade publications, supplier portals, booking systems, forums, local business directories.
Any of those could be running vulnerable CMS software. Any of them could have been compromised already and be silently serving ClickFix payloads to visitors right now.
Your firewall does not see this coming. Your endpoint protection may catch the payload after execution, if it recognises the signature. But the social engineering step, the moment a human follows the instruction, that is not a technology problem. It is a training problem.
The Secondary Story: KnowledgeDeliver and In-Memory Web Shells
Also confirmed active this week: exploitation of a zero-day in the KnowledgeDeliver Learning Management System (CVE-2026-5426). Mandiant responded to an incident in late 2025 involving a compromised web server running KnowledgeDeliver. Attackers exploited a ViewState deserialisation vulnerability to deploy something called BLUEBEAM.
BLUEBEAM is an in-memory web shell. A web shell is a piece of code that gives an attacker persistent remote access to a server, essentially a back door accessible through a web browser. βIn-memoryβ means it does not write files to disk in the traditional sense, which makes it significantly harder for standard security tools to detect.
The relevance to small businesses: Learning Management Systems are increasingly common in SMBs for staff training and compliance documentation. If your business uses KnowledgeDeliver, this is a critical patch priority. If your MSP manages an LMS on your behalf, ask them specifically whether KnowledgeDeliver is in your environment and whether CVE-2026-5426 has been remediated.
The broader lesson: web-facing applications that your business uses for internal purposes, training platforms, HR portals, booking systems, are attack surface. They sit on the internet. They receive data from unauthenticated users in some cases. They need patching on the same schedule as everything else, and that schedule should be measured in days for critical vulnerabilities, not months.
How to Turn This Into a Competitive Advantage
Clients and procurement teams are increasingly asking about security posture during supplier due diligence. Being able to demonstrate that your staff have received specific, current training on social engineering techniques is a differentiator that most small businesses cannot offer.
ClickFix awareness training takes approximately fifteen minutes. It involves showing staff what the attack looks like, explaining why the instruction to use the Run dialog is always suspicious, and establishing a clear rule: no legitimate website will ever instruct you to press Windows+R and paste a command. Ever.
That training, documented, becomes evidence of a proactive security culture. It is the kind of thing that moves you from βwe have a firewallβ to βwe have a documented training programme covering current threat techniques.β Cyber Essentials Plus assessors notice the difference. Enterprise procurement teams notice the difference.
Making the Business Case to Your Board
Three points that should land with any director or senior manager.
The attack is designed to defeat technology controls. ClickFix bypasses firewalls, spam filters, and many endpoint tools because it runs in a browser and is triggered by a human. The only reliable defence is human awareness. That means training is not optional; it is the primary control for this threat category.
The scale of compromise is significant. Over 700 websites confirmed compromised and actively serving malicious payloads. That is 700 sites where a visitor following plausible-looking instructions could have malware installed on their device. The probability that at least one site visited by your team is affected is not theoretical.
The cost of the defence is trivial relative to the cost of a breach. Fifteen minutes of staff briefing. A one-line addition to your acceptable use policy. A reminder pinned to the intranet. Against the average cost of a UK SMB ransomware incident, which the NCSC has documented running into tens of thousands of pounds in recovery costs, this is an asymmetric investment.
What to Do Before Friday
-
Brief your staff on ClickFix today. Show them what the fake CAPTCHA and browser error prompts look like. Establish the rule: no website will ever ask you to press Windows+R and paste a command. If they see this, they close the browser tab and report it.
-
Check whether KnowledgeDeliver is in your environment. If you use any Learning Management System, ask your IT support or MSP to confirm the product name and version. If it is KnowledgeDeliver, CVE-2026-5426 requires immediate remediation. Do not wait for the next scheduled maintenance window.
-
Review your web-facing application inventory. Make a list of every application accessible from the internet that your business operates or that your MSP operates on your behalf. Each one needs a defined patching schedule. If your MSP cannot tell you when critical patches are applied to web-facing systems, that is a contract conversation.
-
Test your endpoint protection. Ask your IT support whether your endpoint solution would detect and block a ClickFix payload execution. If they cannot answer this with specifics, ask them to find out. βWe have antivirusβ is not an answer.
-
Document the training. When you brief your staff, log it. Date, attendees, topic covered. Two lines in a spreadsheet. This documentation supports Cyber Essentials renewal, insurance assessments, and client due diligence. The training without the documentation is half the value.