blindthoughts
breaking · By

Drupal's Highly Critical SQL Injection Is Now Being Actively Exploited

Drupal's security team issued a "highly critical" SQL injection advisory earlier this week — and BleepingComputer now reports that attackers are already attempting to exploit it in the wild. If you run Drupal and haven't patched, stop reading and go patch.

What Happened

A SQL injection flaw in Drupal core was disclosed this week and rated "highly critical" — Drupal's top severity tier, reserved for vulnerabilities that are remotely exploitable with low or no privileges and carry high impact. Within days of disclosure, active exploitation attempts are underway. The gap between "advisory published" and "mass scanning begins" has collapsed to hours in 2026, and Drupal is a particularly attractive target: it runs a significant share of government portals, university sites, and enterprise intranets — high-value, often slow-to-patch environments.

Why It Matters

SQL injection at this severity level typically gives an attacker read/write access to the underlying database without authentication. For a Drupal installation that means:

Critically, exploitation is likely automated and indiscriminate — you don't need to be a notable target to get hit. Any internet-facing Drupal instance is a candidate.

What To Do

1. Identify your version immediately.

drush status | grep "Drupal version"

Or check core/lib/Drupal.php for the VERSION constant.

2. Apply the patch now. The specific affected versions, CVE, and patched releases are listed at drupal.org/security. That page is your authoritative source — go there directly.

3. Review logs for the period since the advisory dropped. Look for SQL error responses, anomalous query strings containing UNION, SELECT, or injection scaffolding, and any unexpected admin account creation.

4. Audit user accounts. Any account created or promoted to administrator in the last several days warrants immediate scrutiny.

5. If you cannot patch right now:

Sites that remain unpatched for the next 24–48 hours should be treated as potentially compromised and investigated, not just patched and assumed clean. Backdoor accounts and stolen session tokens persist after a patch is applied.

Sources
  1. Drupal: Critical SQL injection flaw now targeted in attacks

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?