Overview
- Drupal disclosed a critical SQL injection bug in its database abstraction API and published fixes on May 20 for supported branches to stop unauthenticated attackers from injecting arbitrary SQL on PostgreSQL-backed sites.
- The flaw can let attackers read data, escalate privileges, or in some setups run code by sending specially crafted requests to vulnerable Drupal sites that use PostgreSQL.
- Drupal updated its advisory on May 22 to say exploit attempts were being seen in the wild and security firms reported rapid scanning and testing of exploits across many sites.
- Imperva observed more than 15,000 attack attempts against nearly 6,000 sites in about 65 countries with gaming and financial services heavily targeted, and CISA added the vulnerability to its Known Exploited Vulnerabilities list with a federal remediation deadline of May 27.
- Although fewer than 5% of Drupal installs use PostgreSQL, that still means thousands of public websites are at risk and the pattern of fast probing follows past Drupal incidents where unpatched sites were quickly weaponized.