Serious vulnerability is discovered less than a month after previous bug

A critical remote code execution (RCE) vulnerability in the Drupal content management system (CMS) is being exploited in the wild, just weeks after a previous bug was patched.

The flaw – SA-CORE-2018-400 – is related to the RCE bug discovered last month, which affected multiple subsystems across the popular open-source CMS.

This vulnerability affects Drupal versions 7.x and 8.x and allows an attacker to use RCE to take over a website’s server and manipulate or steal data.

Drupal’s security team has labelled the flaw as highly critical, and released a patch in an advisory.

But the bug is reportedly still being exploited in the wild, leaving users vulnerable to miscreants’ activity.

An advisory read: “This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised.”

But Drupal warned that the patches will only work if systems were updated after the previous bug, labelled SA-CORE-2018-002.

This latest development is proving to be another headache for Drupal, after months of serious vulnerabilities.

In February a cross-site scripting (XSS) patch was issued after a flaw was discovered that also affected versions 7 and 8.

This latest bug, though, is the most serious to have affected Drupal for almost four years, the security team has claimed.

Those running 7.x should upgrade to version 7.59, whereas those using 8.5.x should update to 8.5.3.

Drupal 6 is no longer supported, but unofficial updates are still being developed.