CISA orders feds to patch actively exploited Drupal vulnerability

CISA issued an emergency patching directive to federal agencies, mandating they secure systems against CVE-2024-21677, an SQL injection vulnerability in Drupal, by Wednesday evening. The vulnerability carries active exploitation in the wild.

The flaw affects Drupal's core database abstraction layer, allowing unauthenticated attackers to execute arbitrary SQL queries and bypass access controls. Successful exploitation grants threat actors the ability to read sensitive data, modify database contents, or achieve remote code execution depending on database configuration and permissions.

CISA's binding order reflects the threat's severity and proven weaponization. Federal agencies operating Drupal instances—common across government websites and content platforms—face immediate risk. The agency classified the vulnerability under its Binding Operational Directive framework, requiring compliance by the stated deadline rather than optional guidance.

The Drupal Security Team released patches addressing the vulnerability. System administrators must apply the fix to affected versions immediately. Organizations running unpatched Drupal instances should treat this as a critical priority, as exploitation requires no authentication and leaves minimal forensic traces in standard logging.

Beyond government networks, private sector organizations using Drupal warrant immediate patch deployment. The vulnerability's public disclosure accelerates the timeline for widespread exploitation attempts. Security teams should audit access logs for suspicious SQL patterns or database queries from web application logs preceding the patch date.

Drupal powers millions of websites globally, including government sites, educational institutions, and enterprises. The SQL injection vector represents a foundational attack path; threat actors gain database-level access rather than application-level permissions alone. This distinction matters operationally. A compromised database enables lateral movement, credential harvesting, and persistent access mechanisms.

The Cybersecurity and Infrastructure Security Agency's rapid response reflects intelligence about active exploitation. Organizations lacking patch management processes face particular risk. Legacy Drupal deployments running unsupported versions cannot receive patches and require either