Drupal: Critical SQL injection flaw now targeted in attacks

Drupal has confirmed active exploitation of a critical SQL injection vulnerability disclosed this week. The flaw allows unauthenticated attackers to execute arbitrary SQL commands against Drupal installations, potentially leading to unauthorized data access, modification, or deletion.

The vulnerability affects core Drupal functionality. Attackers exploit the flaw by sending specially crafted requests to vulnerable Drupal instances. Successful exploitation grants database access without authentication requirements, making the threat particularly severe for organizations running unpatched systems.

Drupal published a security advisory identifying the affected versions. The development team released patches immediately, but the window between disclosure and patch availability created an exploitation opportunity. Security researchers observed threat actors scanning for vulnerable installations within hours of the public announcement.

Database compromise represents the primary risk. Attackers gain access to user credentials, personal information, content, and configuration details stored in Drupal databases. This data exposure can lead to secondary attacks, including credential stuffing against other services and targeted phishing campaigns against site administrators.

Organizations running Drupal should apply patches without delay. The update process varies by installation type and custom configuration, so administrators should test patches in staging environments before production deployment. Those unable to patch immediately should implement Web Application Firewall rules to block malicious requests targeting the vulnerability.

Drupal powers roughly 3 percent of all websites globally, making widespread patching essential for internet security. High-profile targets including government agencies and major corporations rely on Drupal, increasing the likelihood that attackers prioritize exploitation against these organizations.

The vulnerability underscores the ongoing risks associated with popular open-source platforms. While rapid disclosure and patching represent best practices, the announcement-to-exploitation timeline continues to narrow as automated scanning tools improve. Organizations should treat this incident as a reminder to maintain current patch management processes and monitor systems for signs of compromise.