Drupal Core SQL Injection Vulnerability Actively Exploited: What You Need to Know

A critical SQL injection vulnerability affecting Drupal has been added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog after evidence emerged that attackers are actively exploiting the flaw in the wild.

Organizations running vulnerable Drupal installations should patch immediately, review logs for indicators of compromise, and restrict exposure where possible.

Vulnerability Overview

The flaw affects Drupal Core and allows unauthenticated attackers to execute malicious SQL queries against vulnerable websites. Depending on the site configuration and database permissions, successful exploitation may lead to:

• Unauthorized access to sensitive data
• Authentication bypass
• Administrative account compromise
• Remote code execution in chained attacks
• Full website takeover

According to CISA, the vulnerability is being actively exploited and has been formally added to the KEV catalog, meaning federal agencies are required to remediate it within strict timelines.

Affected Software

The issue impacts multiple supported versions of Drupal Core.

Potentially Affected Versions

• Drupal 10.x
• Drupal 9.x
• Older unsupported releases may also remain vulnerable

Administrators should verify their exact version immediately and compare it against Drupal’s official security advisory.

Severity

This type of flaw is particularly dangerous because attackers can exploit it remotely over the internet without needing valid credentials.

Why SQL Injection Is Dangerous

SQL injection vulnerabilities occur when user-supplied input is improperly sanitized before being passed to backend database queries.

An attacker can manipulate queries to:

• Dump entire databases
• Extract password hashes
• Create administrator accounts
• Modify website content
• Delete data
• Execute malicious payloads

In large CMS platforms like Drupal, SQL injection flaws are historically among the most severe vulnerabilities due to the platform’s deep integration with backend databases and administrative functionality.

Real-World Threat Activity

CISA confirmed that the vulnerability is being exploited in the wild before many organizations had applied patches.

Historically, threat actors aggressively target publicly disclosed Drupal vulnerabilities because:

• Many organizations delay updates
• Internet-facing Drupal instances are easy to identify
• Automated exploit kits rapidly emerge
• Compromised CMS platforms can be monetized quickly

Attackers frequently use automated scanning infrastructure to identify vulnerable Drupal websites within hours of public disclosure.

Potential Impact on Organizations

Compromise of a Drupal instance can lead to:

Data Breaches

Sensitive customer or internal data stored in the CMS database may be exposed.

Website Defacement

Attackers can modify public-facing pages or inject malicious JavaScript.

Malware Distribution

Compromised Drupal sites are often used to distribute phishing pages or malware payloads.

Credential Theft

Administrative accounts may be hijacked or newly created.

Infrastructure Pivoting

If the CMS server has broader network access, attackers may pivot deeper into internal infrastructure.

How to Check if You’re Vulnerable

Administrators should immediately:

1. Determine the installed Drupal Core version
2. Compare it against the official security advisory
3. Check whether security updates have been applied
4. Review exposed internet-facing systems

You can verify your version using:

drush status

Or by reviewing:

composer.json

and:

core/lib/Drupal.php

Indicators of Compromise (IoCs)

Organizations should inspect logs for:

• Suspicious POST requests
• Unusual SQL query activity
• Unexpected administrator account creation
• Unknown scheduled tasks
• Modified PHP files
• Webshell indicators
• Outbound connections to unfamiliar IP addresses

Common Webshell Indicators

Attackers may upload files such as:

shell.php
cmd.php
adminer.php
cache.php

Look for recently modified files in:

/sites/default/files/
/modules/
/themes/

Mitigation Steps

1. Patch Immediately

Apply the latest Drupal security update as soon as possible.

Use Composer:

composer update drupal/core --with-dependencies

2. Restrict Administrative Access

• Enforce MFA
• Limit admin interfaces by IP
• Disable unused accounts

3. Deploy a Web Application Firewall (WAF)

A properly configured WAF can help block exploitation attempts.

4. Audit Logs

Review:

• Web server logs
• Database logs
• Authentication events
• File integrity monitoring alerts

5. Rotate Credentials

If compromise is suspected:

• Reset admin passwords
• Rotate database credentials
• Rotate API keys and secrets

6. Hunt for Persistence

Attackers frequently establish persistence using:

• Webshells
• Rogue admin accounts
• Cron jobs
• Modified plugins/modules

Detection Example

Basic Apache log hunting:

grep -Ei "union|select|concat|sleep\(" access.log

Look for:

• SQL keywords in URL parameters
• Encoded payloads
• Large POST bodies
• Unexpected database errors

Recommended Security Practices

To reduce future exposure:

• Keep Drupal Core updated
• Remove unused modules/themes
• Use least-privilege database accounts
• Enable MFA everywhere possible
• Segment CMS infrastructure
• Continuously monitor logs
• Deploy EDR solutions on hosting servers

Official References

• CISA KEV Advisory
• Drupal Security Advisories
• CISA Known Exploited Vulnerabilities Catalog