Security Alerts Critical Vulnerability Exposes Drupal Websites

Wednesday, Apr 4, 2018


While analyzing the security of Drupal, security researcher Jasper Mattsson discovered a remote code execution vulnerability that impacts all versions of the open source content management system. The vulnerability, CVE-2018-7600, which was assigned a score of 21/25, can be exploited by accessing a page on a targeted Drupal website. Once successfully exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data.

Although this vulnerability affects over one million websites, it has been patched with the following releases:

  • Drupal 7.58
  • Drupal 8.5.1
  • Drupal 8.3.9
  • Drupal 8.4.6

Workarounds are available, but all require drastic changes to the current website which temporarily replaces the Drupal page with a static HTML page. Users are urged to upgrade their installations to the latest versions as soon as possible.