Over 100K Drupal Sites Still Exposed to Critical RCE Vulnerability

While many companies have patched their Drupal CMS platforms to protect against an RCE vulnerability, a new analysis finds that more than 100,000 websites remain exposed.

Scott Ferguson, Managing Editor, Light Reading

June 7, 2018

3 Min Read

For millions of websites that rely on the Drupal platform, a highly critical remote code execution (RCE) discovered about two months ago prompted companies to push through emergency patches to help protect their assets and sites from an attack.

However, a new analysis finds that possibly hundreds of thousands of websites remain unpatched and vulnerable to what some security researchers have called "Drupalgeddon 2."

When it was first discovered in late March, the vulnerability -- CVE-2018-7600 -- made it possible for an attacker to completely take over an affected site from "multiple attack vectors," and allowed them to delete private data. (See Drupal RCE Vulnerability Requires Immediate Patching.)

The vulnerability could affect Versions 6, 7 and 8 of the Drupal content management system (CMS) platform. While the two latest versions of Drupal, Version 7.58 and Version 8.51, were not vulnerable to the RCE vulnerability, there were enough versions of the platform being used that thousands of companies applied emergency patches to protect millions of websites.

(Source: Flickr)

(Source: Flickr)

Still, for some websites and companies, the warning went unheeded.

In a post on the Bad Packets Report, security researcher Troy Mursch wrote that he scanned some 500,000 websites that use the 7.1 Version of Drupal and found:

  • 115,070 sites were outdated and vulnerable

  • 134,447 sites were not vulnerable

  • 225,056 sites were using undetermined versions of Drupal, meaning that some of these sites could still be exposed

Mursch did not share publicly which sites were vulnerable, but noted:

"Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers."

When it was first discovered in March, Drupal engineers noted that no attacks associated with the vulnerability had been observed in the wild.

Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

During the past two months, however, a number of attacks have begun to appear, typically associated with cryptomining. Research firm SecurityTrails has documented a number of these campaigns.

In addition, Mursch wrote in his June 4 blog that he discovered an additional cryptojacking campaign that had injected Coinhive into sites. One of the affected sites that Mursch found belonged to a Belgium police department's website, but that has since been removed.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Read more about:

Security Now

About the Author(s)

Scott Ferguson

Managing Editor, Light Reading

Prior to joining Enterprise Cloud News, he was director of audience development for InformationWeek, where he oversaw the publications' newsletters, editorial content, email and content marketing initiatives. Before that, he served as editor-in-chief of eWEEK, overseeing both the website and the print edition of the magazine. For more than a decade, Scott has covered the IT enterprise industry with a focus on cloud computing, datacenter technologies, virtualization, IoT and microprocessors, as well as PCs and mobile. Before covering tech, he was a staff writer at the Asbury Park Press and the Herald News, both located in New Jersey. Scott has degrees in journalism and history from William Paterson University, and is based in Greater New York.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights