CVE-2018-7602 – Drupal addressed a new vulnerability associated with Drupalgeddon2 flaw

Pierluigi Paganini April 26, 2018

The new flaw tracked as CVE-2018-7602, is a highly critical remote code execution issue, Drupal team fixed it with the release of versions 7.59, 8.4.8 and 8.5.3.

Drupal team has released updates for versions 7 and 8 of the popular content management system (CMS) to address the recently disclosed CVE-2018-7600 Drupalgeddon2 flaw.

The new flaw tracked as CVE-2018-7602, is a highly critical remote code execution issue, Drupal team fixed it with the release of versions 7.59, 8.4.8 and 8.5.3.

“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.“reads the security advisory published by Drupal.

Administrators of websites running the Drupal CMS who cannot immediately update their version can apply a patch, but it only works if the fix for the original Drupalgeddon2 flaw is present. If the previous patch was not installed, the website may already be compromised, Drupal developers warned.

Both CVE-2018-7600 and CVE-2018-7602 have been exploited in the wild.

A week after the release of the security update for the CVE-2018-7600 flaw, a proof-of-concept (PoC) exploit was publicly disclosed.

The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.” reads the analysis.

“By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”

After the publication of the report. the expert Vitalii Rudnykh shared a working  Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

The new CVE-2018-7602 vulnerability was discovered while members of the Drupal Security Team with the help of the Drupal developer Jasper Mattsson were analyzing the original Drupalgeddon2 flaw.

Security experts speculate the vulnerability may have been exploited to launch the ransomware-based attack on the website of the Ukrainian energy ministry.


Unfortunately, several threat actors are exploiting the Drupalgeddon2 flaw in the wild, security experts observed crooks using the exploit to deliver cryptocurrency miners such as XMRig and CGMiner.

According to the analysis published by experts at security firm Volexity, threat actors are exploiting the Drupalgeddon2 flaw to deliver malicious scripts cryptocurrency miners and backdoors.

The experts associated one of the observed campaigns aimed to deliver XMRig with a cybercriminal gang that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miners in late 2017.

According to security experts at Imperva, 90% of the Drupalgeddon2 attacks are scanning activities, 3% are backdoor infection attempts, and 2% are attempting to run drop cryptocurrency miners on the vulnerable systems.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Drupalgeddon2, spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment