In a statement, which has seen constant updates since it was first posted on 4 May AEDT, Ghost first reported an outage, and then said it had been fixed.
Later, the company said there had been an attempt to mine cryptocurrency on its servers, which led to a spike in CPU usage and a subsequent outage.
It identified the flaw that had been exploited and said it affected both the Ghost(pro) sites and the Ghost.org billing services.
"There is no direct evidence that private customer data, passwords or other information has been compromised," it added. "All sessions, passwords and keys are being cycled and all servers are being re-provisioned."
Commenting on the vulnerability and also a second one, for both of which exploitation had been observed in the wild, Satnam Narang, principal research engineer at security shop Tenable, said the Salt management framework was used in data centres and cloud environments to configure, monitor and update systems.
"This is achieved by a 'master' server that can control agents called 'minions'," he explained. "When combined, the two flaws can be used to gain remote command execution as root on both the master server and minions.
Narang said attackers appeared to have successfully utilised these vulnerabilities to breach the infrastructure of LineageOS, an open-source Android operating system, and also Ghost
"We believe additional successful attacks may be revealed in the coming days and weeks," he added. " For organisations that use Salt in their environment, it’s critically important to apply the available patches to vulnerable assets as soon as possible. If patching isn’t possible, ensure that proper network security controls are in place for the Salt master."
Details of the two vulnerabilities are here.