~/f4n6 $ grep -r "May 2026 CVE Landscape" ./investigations/ --include="*.md"

May 2026 CVE Landscape

Jeff Davies 08 Jun 2026 4 min read

Issuer: Adverse Trace Date issued: 2026-06-08 Version: 1.0

1. Executive summary

In May 2026, 41 high-impact vulnerabilities were identified, with 22 confirmed as actively exploited, including 21 listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. A critical SQL injection in Ghost CMS (CVE-2026-26980) is being leveraged by at least two threat groups to inject malicious JavaScript, facilitating "ClickFix" and "FakeCaptcha" social engineering attacks that deliver malware such as UtilifySetup.exe. EMEA financial services face immediate risk if utilizing Ghost CMS for public-facing content, blogs, or fintech portals, as exploitation leads to full site compromise and potential client-side malware delivery. The 11% month-over-month increase in very critical risks necessitates immediate prioritization of KEV-listed items under DORA mandates.

2. Regulatory framing

Regulation Article Practical Impact for EMEA Financial Services
DORA Art. 17 Requires immediate identification and classification of the 22 actively exploited CVEs (including CVE-2026-26980) within the ICT asset inventory.
DORA Art. 19 Mandates reporting of significant ICT-related incidents if exploitation results in material impact on critical operations; active exploitation of KEV items triggers heightened monitoring.
DORA Art. 28-30 Obliges entities to verify that third-party providers (e.g., hosted Ghost CMS instances, Vercel deployments) have patched these vulnerabilities; contractual rights to audit/inspect may be invoked.
NIS2 Art. 21(2)(d) Requires implementation of policies for vulnerability handling and disclosure; failure to patch KEV-listed items within reasonable timelines may constitute a breach of "appropriate and proportionate" measures.
NIS2 Art. 23 Mandates early warning and incident reporting if the exploitation chain leads to a significant disruption of essential services (e.g., customer-facing banking portals).

3. Attack chain

Confirmed Steps (CVE-2026-26980 Campaign): 1. Reconnaissance: Threat actors identify Ghost CMS instances vulnerable to CVE-2026-26980 (SQL Injection). 2. Initial Access: Unauthenticated actors exploit the SQL injection to extract Ghost Admin API Keys. 3. Persistence/Modification: Actors use stolen API keys to modify website content, injecting malicious JavaScript. 4. Delivery: Compromised sites serve "ClickFix" or "FakeCaptcha" social engineering prompts to visitors. 5. Execution: Victims tricked into executing commands download and run UtilifySetup.exe (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d). 6. Payload Deployment: The installer drops Grape.exe into %LOCALAPPDATA%\SuperMaxionQuickMaxlite and establishes persistence via registry or startup folder modification to launch electron.app.Grape. 7. C2: The payload attempts communication with web-telegram[.]ug.

Unconfirmed Steps: * Specific lateral movement techniques within the victim's internal network following initial endpoint compromise are not detailed in the source material. * The exact mechanism of data exfiltration post-compromise is not explicitly defined beyond the initial credential theft and malware delivery.

4. Mitigation & containment

P1: Within 24 Hours (Containment & Triage) * Asset Discovery: Immediately scan external and internal assets for Ghost CMS installations. Check for versions vulnerable to CVE-2026-26980. * Network Blocking: Block outbound traffic to web-telegram[.]ug at the firewall and DNS resolver levels. * Endpoint Isolation: If UtilifySetup.exe or Grape.exe is detected, isolate the host immediately. * File System Hunt: Search for the following paths and quarantine/delete if found: * %Temp%\UtilifySetup.tmp * %LOCALAPPDATA%\SuperMaxionQuickMaxlite\Grape.exe * Web Application Firewall (WAF): Deploy virtual patches blocking SQL injection patterns targeting Ghost CMS API endpoints if immediate patching is not feasible.

P2: Within 72 Hours (Remediation) * Patch Management: Apply vendor patches for all 21 CISA KEV vulnerabilities identified in the May 2026 landscape. Prioritize Ghost CMS updates addressing CVE-2026-26980. * Configuration Hardening: Rotate all Ghost Admin API Keys for any instance where exposure was possible, even if compromise is not yet confirmed. * Version Pinning: Ensure Next.js environments (if hosted on Vercel) are updated to versions addressing the 27% of vulnerabilities attributed to this vendor in the report.

P3: Within 7 Days (Validation) * Integrity Verification: Audit content on all public-facing Ghost CMS instances for unauthorized JavaScript injections. * Log Review: Analyze web server logs for SQL injection attempts (e.g., unusual query parameters in API calls) dating back 30 days. * Third-Party Verification: Request attestation from cloud providers (Vercel, AWS, Azure) confirming the remediation status of underlying infrastructure components.

5. Indicators of compromise

Type Value Confidence Source
SHA256 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d High Recorded Future / XLab
Filename UtilifySetup.exe High Recorded Future
Filename UtilifySetup.tmp High Recorded Future
Filename Grape.exe High Recorded Future
Directory C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite High Recorded Future
Domain web-telegram[.]ug High Recorded Future
CVE CVE-2026-26980 High CISA / Recorded Future 
sha256  7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d
filename  UtilifySetup.exe
filename  UtilifySetup.tmp
filename  Grape.exe
path  C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite
domain  web-telegram[.]ug
cve  CVE-2026-26980

6. Detection

YARA Rule Detects the specific malware sample UtilifySetup.exe and associated artifacts based on provided filenames and paths.

rule Mal_GhostCMS_ClickFix_Installer {
    meta:
        author = "Adverse Trace"
        date = "2026-06-08"
        description = "Detects UtilifySetup.exe and Grape.exe artifacts associated with Ghost CMS ClickFix campaigns (CVE-2026-26980)"
        reference = "https://www.recordedfuture.com/blog/may-2026-cve-landscape"
        severity = "High"

    strings:
        $fname1 = "UtilifySetup.exe" ascii wide
        $fname2 = "UtilifySetup.tmp" ascii wide
        $fname3 = "Grape.exe" ascii wide
        $path1 = "SuperMaxionQuickMaxlite" ascii wide
        $c2_domain = "web-telegram[.]ug" ascii wide

    condition:
        any of them
}

Sigma Rule Detects the creation of the specific directory and execution of the malware payload identified in the analysis.

title: Ghost CMS ClickFix Malware Execution
id: a8f2c9d1-4b5e-6f7a-8b9c-0d1e2f3a4b5c
status: experimental
description: Detects execution of Grape.exe from the SuperMaxionQuickMaxlite directory associated with CVE-2026-26980 campaigns.
author: Adverse Trace
date: 2026/06/08
references:
    - https://www.recordedfuture.com/blog/may-2026-cve-landscape
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\SuperMaxionQuickMaxlite\Grape.exe'
            - '\UtilifySetup.exe'
        CommandLine|contains:
            - 'SuperMaxionQuickMaxlite'
    condition: selection
falsepositives:
    - Legitimate software using identical paths (unlikely)
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026-26980

7. Sources

  • Recorded Future, "May 2026 CVE Landscape", https://www.recordedfuture.com/blog/may-2026-cve-landscape, 2026-06-08.
  • BleepingComputer, "Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign", https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/, 2026-06-08.
  • XLab, "Technical analysis of ClickFix poisoning campaigns", (Referenced via Recorded Future), 2026-05-21.

8. Adverse Trace position

We assess the severity of CVE-2026-26980 as Critical due to confirmed active exploitation, public PoC availability, and its inclusion in the CISA KEV catalog. The risk to EMEA financial services is elevated specifically for institutions leveraging Ghost CMS for marketing, investor relations, or fintech product landing pages; the supply chain nature of the attack (compromising the site to target visitors) bypasses traditional perimeter defenses. Adverse Trace will continue to monitor the 19 honeypot-sourced CVEs mentioned in the source material for signs of transition to active exploitation and will update this advisory if attribution regarding the two threat groups becomes more specific. Clients must treat the 22 actively exploited CVEs as mandatory patching targets within 24-48 hours to maintain DORA compliance.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies