On March 28, 2018, the Drupal security team disclosed a high-risk (21/25 NIST rating) vulnerability named Drupalgeddon 2 (SA-CORE-2018-002/CVE-2018-7600) for use with default or standard Drupal installations. For the site, the vulnerability allows an attacker to remotely execute code without being authenticated.
To address this vulnerability, the company released an updated version of the Drupal CMS. However, according to the latest report from The Hacker News, security researcher Troy Mursch found that there are still more than 115,000 Drupal sites vulnerable to Drupalgeddon2 vulnerabilities.
Image: badpackets
Due to the fact that the vulnerability has been published with specific technical details, it is easier for attackers to use it. The Drupal team has repeatedly urged the websites using Drupal system to update to the latest version as soon as possible.
