CISA gave U.S. authorities companies till Wednesday night to guard their servers towards an SQL injection vulnerability within the Drupal content material administration system (CMS) that it reported was being actively exploited.
Drupal is often utilized by giant organizations that handle giant information constructions and multisite installations, comparable to authorities companies, academic establishments, main analysis universities, and well-known companies and media organizations.
Google/Mandiant researcher Michael Maturi found this vulnerability (at the moment tracked as CVE-2026-9082) in Drupal’s database abstraction API.
This safety flaw may be exploited with out authentication and permits an attacker to set off arbitrary SQL injection on PostgreSQL-powered websites by way of specifically crafted requests. Profitable exploitation may result in info disclosure, privilege escalation, and even distant code execution.
The Drupal safety group tagged the flaw as “very essential” earlier than releasing a patch and confirming that the exploitation try had certainly been detected.
Cybersecurity agency Imperva warned on Could 21 that “Since CVE-2026-9082 was launched, Imperva has noticed over 15,000 assault makes an attempt focusing on roughly 6,000 particular person websites in 65 international locations.” “The assaults have up to now primarily focused gaming and monetary providers websites, which collectively account for nearly 50% of all assaults.”
Web safety watchdog group Shadowserver is at the moment monitoring roughly 670 unpatched Drupal installations on-line, principally from North America (272) and Europe (273).
On Friday, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added this flaw to its Recognized Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Govt Department (FCEB) companies to patch their methods by midnight on Wednesday, Could 27, as required by Binding Working Directive (BOD) 22-01.
Though BOD 22-01 solely applies to U.S. federal companies, CISA suggested all defenders, together with these within the personal sector, to use the CVE-2026-9082 patch as quickly as potential to guard their organizations’ units.
“A majority of these vulnerabilities are a frequent assault vector for malicious cyber attackers and pose a big threat to federal enterprises. (..) Though BOD 22-01 applies solely to FCEB companies, CISA urges all organizations to cut back their publicity to cyber assaults by prioritizing well timed remediation of vulnerabilities within the KEV catalog as a part of their vulnerability administration practices,” the Cyber Safety Company warned.
“Apply mitigations as directed by the seller and comply with the BOD 22-01 steerage relevant to your cloud service, or discontinue use of the product if mitigations are usually not accessible.”
Over the previous few years, CISA has reported 5 Drupal vulnerabilities which have been exploited within the wild, two of which have additionally been exploited in ransomware assaults.
Automated penetration testing instruments supply actual worth, however they have been constructed to reply one query: Can an attacker get by your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines fireplace, or cloud configurations are preserved.
This information describes six surfaces that you need to truly study.
Obtain now
