Apple TV will stream an entire Formula 1 race weekend free to U.S. viewers for the first time, opening every Austrian Grand Prix session to fans without a subscription.
Viewers in the United States will be able to watch all Formula 1 Austrian Grand Prix sessions live through Apple TV at no cost. The free access runs from June 26 through June 28 and includes every on-track session, from practice and qualifying to Sunday’s Grand Prix.
The schedule begins with Practice 1 at 7:30 a.m. Eastern on June 26, followed by Practice 2 at 11 a.m. Practice 3 starts at 6:30 a.m. on June 27, with qualifying at 10 a.m. The Austrian Grand Prix is scheduled to begin at 9 a.m. Eastern on June 28.
Apple said the Austrian Grand Prix marks the first time it has made an entire Formula 1 race weekend available free to viewers in the United States. The company has offered free sports programming before, but this promotion includes every Formula 1 session across a race weekend rather than a single event.
Opening every Formula 1 session to non-subscribers gives fans a chance to follow the entire race weekend, not just Sunday’s Grand Prix. Practice sessions shape car setups and race strategy, while qualifying determines the starting grid.
Why Apple is opening a Formula 1 weekend for free
The promotion arrives as Formula 1 continues to draw a larger audience in the United States. Following a full race weekend typically requires access to paid television or streaming services.
The Austrian Grand Prix gives casual viewers a chance to watch every session without paying for access.
The free weekend also gives Apple a chance to put Apple TV in front of viewers who may not regularly use the platform. Fans can follow the weekend from practice through qualifying and the Grand Prix itself.
Apple hasn’t said whether similar free Formula 1 weekends will follow. For now, the Austrian Grand Prix is Apple’s first effort to make an entire Formula 1 race weekend available free to U.S. viewers.
Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and universities.
The vulnerability is an SQL injection issue in Ghost’s Content API that can let an attacker read data from the database without logging in. In the worst case, this can expose the Admin API key, which can allow attackers to take over the site.
That key matters because it can be used to change published content. In this campaign, attackers used it to edit articles on compromised Ghost sites and insert malicious JavaScript at the end of pages. The goal was not just defacement, but to turn trusted websites into launch points for further malware delivery.
“After an in-depth investigation and analysis, we determined that this was not a targeted intrusion against the customer, but rather a large-scale poisoning campaign by an in-the-wild attack group targeting Ghost CMS. Although CVE-2026-26980 was publicly disclosed as early as February 19, a large number of users did not patch and upgrade in time, providing an opportunity for attackers.” reads the advisory published by Qianxin. “At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day.”
The inserted code led visitors through a two-step chain. First, the page loaded a remote script that checked the browser and decided what the visitor should see. Then real victims were redirected to a fake verification page that looked like a normal “I’m human” check.
This is where the ClickFix part began. The page told users to press Windows+R, paste a command, and hit Enter. In practice, that command downloaded and started a malware payload on the victim’s machine. It was a classic social engineering trick: make the user do the dangerous part themselves.
Qianxin says the first signs of this activity appeared in early May. The malicious code found in the campaign had a compilation date of February 16, the same day Ghost announced the fix for CVE-2026-26980. That suggests the attackers moved quickly once they saw how many sites had not been updated.
The affected websites cover a wide range of sectors. Roughly half are personal blogs or independent sites, but the list also includes technology blogs, AI sites, media outlets, crypto projects, and educational institutions. Qianxin researchers say victims include sites linked to Harvard, Oxford, and DuckDuckGo.
The attack chain was also designed to be flexible. The loaders could fetch different payloads depending on the target, and the operators changed infrastructure several times.
“entire attack process has obvious five-stage characteristics of “CMS Takeover → Page Poisoning → Two-stage Loading → Social Engineering Lure (FakeCaptcha/ClickFix) → Malware Delivery”, and the entire process is highly automated: bulk vulnerability scanning → automatic key extraction → bulk injection → dynamic C2 distribution.” states the report.
In some cases, they switched domains after detection, keeping the campaign alive even when part of the chain was blocked.
“Through feature scanning of publicly accessible pages, we have cumulatively identified more than 700 poisoned victim domains, and have proactively contacted the sites for which contact information could be obtained, notifying them of the poisoning.” continues the report.
Qianxin also believes at least two different groups are involved. In some cases, the same site was hit more than once, with one attacker replacing the code left by another. That makes the campaign harder to clean up and shows how attractive compromised Ghost sites have become for abuse.
For site owners, the advice is straightforward. Ghost should be updated immediately, all credentials should be rotated, and site logs should be reviewed for suspicious admin API activity. Any injected scripts should be removed from the database itself, not just from the visual editor. Visitors who may have reached a poisoned site should also be warned.
The report includes Indicators of Compromise (IoCs) for the attacks observed by the researchers.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
May 25, 2026
