150000 Drupal websites got hacked by this new vulnerability

Share this…

The Drupal security team has fixed another Drupal remote code execution vulnerability, which suggests users to implement the updates offered immediately as the flaw is being exploited actively in the wild.

The experts in information security comment that the vulnerability (CVE-2018-7602) affects versions 7.x and 8.x of Drupal. Users should update to v7.59 and 8.5.3 as soon as possible.


Users who cannot implement the update can implement independent patches, but before doing so they have to apply the SA-CORE-2018-002 solution.

This is the second occurrence in less than a month that a critical failure in the execution of the remote code has been connected.

The first incident, CVE-2018-7600, affected the Drupal sites 8, 7 and 6, estimated at almost one million.

Even though a professional found the vulnerability and revealed it responsibly, the attackers soon developed an exploit once security updates and patches were released.

“Unrepaired sites can be compromised. It’s possible that the targeted attacks occurred before Wednesday, 2018-04-11,” Drupal’s information security team recently shared.

“With the March update, Drupal added a global sanitation function, which is difficult to implement correctly,” said Johannes Ullrich, CTO of SANS ISC.

“It is very difficult to disinfect and validate the data before it is clear how they are used, particularly if this is done for an existing and complex application such as Drupal.”

The second incident, CVE-2018-7602, is related to the previous one, was unearthed by the same researcher and members of the Drupal information security team, and is being exploited actively in the wild.

Attacks in the wild

Netlab 360 observed a large number of Internet scans against CVE-2018-7600.

Attackers search for vulnerable Drupal installations, exploit the flaw and install cryptocurrency miners and DDoS-compatible software on compromised servers, as well as backdoors that allow them to access the system whenever they wish.

It is expected that CVE-2018-7602 will be exploited with the same objectives.

The Drupal team warns that, once updates are installed, administrators should check if their installation has been compromised and if there is a backdoor installed on the host.

“Simply updating Drupal will not remove the backdoors or fix the compromised sites, you must assume that the host is also compromised and that any other site on a compromised host is also compromised,” they commented.

“If you find that your site is already patched, but you did not, it may be a sign that the site was compromised.” Some attacks in the past have applied the patch as a way to ensure that only that attacker has control of the site”.