Three critical patches your website and file-sharing can’t wait on

Right now, over 700 websites are quietly serving malware to their visitors. The site owners have no idea it’s happening. The flaw that made it possible was known, patchable, and ignored, and criminal groups running automated tools did the rest.

This week brought three critical software flaws into the open, all either under active attack or at serious risk of exploitation. If your website runs Ghost or Joomla, or your business uses an on-premises SharePoint Server for file-sharing, this is worth acting on today.

Ghost CMS: 700+ websites already hit

A SQL injection flaw in Ghost CMS (the platform a fair number of small businesses use for websites, blogs, and newsletters) has been weaponised by two separate groups. They’ve injected malicious code into vulnerable sites, which then delivers what’s called ClickFix malware to every visitor who lands on the page. Visitors don’t need to click anything suspicious. They just visit what looks like a normal business site.

If your website runs Ghost, log into your admin panel, check your version number, and compare it against the published fix. If you can’t do that yourself, contact your web developer or hosting provider and ask them to confirm the patch has been applied. “We handle updates” isn’t enough, ask for the version number and when it was done.

Joomla: three privilege-escalation flaws

Joomla published three critical vulnerabilities this week, all scoring 9.8 out of 10 on the standard severity scale. All three sit in the user-management part of the software. What that means in plain terms: someone with a basic account on your Joomla site, even a free comment account, can promote themselves to administrator. From there, they can change your site, steal your user database, or redirect your visitors to somewhere malicious.

Three separate flaws in the same area suggests this isn’t an isolated slip. If your site runs Joomla, update it now, then review who has access and remove any dormant or unnecessary accounts.

SharePoint Server: remote code execution

If your business runs SharePoint Server on your own hardware (as opposed to SharePoint Online, which is the cloud version that comes with Microsoft 365), there’s a patched vulnerability worth applying immediately. Microsoft has issued a fix for a remote code execution flaw that scores 8.8 out of 10 in severity. An attacker only needs basic user-level access to exploit it, no administrator account required.

SharePoint Online is patched automatically by Microsoft. SharePoint Server on your own infrastructure is your responsibility. If you’re not sure which one you run, that’s worth finding out.

Why “we’ll patch next week” is a problem

The 700-site Ghost compromise didn’t happen because attackers found something new. It happened because a known fix wasn’t applied. The UK’s National Cyber Security Centre recommends patching critical vulnerabilities as a default policy, particularly when those flaws are already being exploited. If personal data is ever taken through unpatched software, how long the patch sat unapplied will be one of the first things a regulator looks at.

For businesses working toward Cyber Essentials certification, increasingly expected by larger clients and public-sector contracts, patching critical flaws within 14 days is a formal requirement.

What to do before the end of the week

• Find out what your website runs. Log into the admin panel or ask your developer: Ghost, Joomla, WordPress, or something else? What version? Write it down.
• Apply the patches. Both Ghost and Joomla have update tools built into their admin panels. SharePoint patches come through Microsoft Update or your patch-management setup.
• Check which SharePoint you use. If you only use Microsoft 365 with SharePoint Online, you’re already covered. If you run SharePoint Server on your own hardware, apply the patch.
• Audit website accounts. For Joomla especially: remove dormant accounts and disable public self-registration if you’re not using it.
• Get it in writing. If a developer or IT provider manages any of these systems, ask for written confirmation of the patch version and the date it was applied. The Ghost attack is a useful reminder that “it hasn’t happened to us” and “it can’t happen to us” are two very different things. If you’re not sure whether your website or SharePoint setup is current, Dragon Digital handles patch audits and website security checks for businesses across North Wales, worth a quick conversation before Friday.