A highly critical security patch was released on Wednesday for the popular Drupal content management system, which powers some of the world’s most visited websites.
The message from the developers is simple: Drop everything and patch now.
Update now — Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 — https://t.co/uwzodrmegc
— Drupal Security (@drupalsecurity) March 28, 2018
The new update fixes a remote code execution vulnerability that “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.”
All it takes is for an anonymous user to visit a targeted page and they can see, modify and delete private data. No attacks have been detected yet, but the Drupal team and experts believe they will commence in short order.
Given the severity of the issue, the Drupal team has provided updates to older versions of the software it had stopped supporting.
The vulnerability was discovered by Jasper Mattsson, an employee of Drupal security auditing firm Druid.
The bug is being called Drupalgeddon2.
— Steve Allen (@ttesteve) March 28, 2018
The first iteration of Drupalgeddon came in 2014 when a bug allowed attackers to take over a target. Independent journalist Kim Zetter reported in 2017 that years after a patch was available, an election security security center in Georgia had been attacked via the vulnerability.