Drupal Sites Over 115,000 Still Vulnerable to Drupalgeddon 2


Drupal Sites Over 115,000 Still Vulnerable to Drupalgeddon 2

Category : Blog

Drupal Sites Over 115,000 Still Vulnerable to Drupalgeddon 2

Drupal is a free and open source content-management framework written in PHP and distributed under the GNU General Public License. Drupal provides a back-end framework for at least 2.3% of all web sites worldwide – ranging from personal blogs to corporate, political, and government sites. Systems also use Drupal for knowledge management and for business collaboration.

Two months after the Drupal project released a patch for a highly critical security flaw, there are over 115,000 Drupal sites that have failed to install the fix and are now at the mercy of cyber-criminals.

This estimation comes from Troy Mursch, a US-based security researcher, who spent the last few days scanning the Internet for all sites running a version of the Drupal 7.x CMS.

Mursch was able to find over 500,000 of these sites, and he says that he was able to identify 115,070 websites running an outdated Drupal 7.x CMS version, vulnerable to CVE-2018-7600, also known as Drupalgeddon 2.




Drupalgeddon 2

CVE-2018-7600 is a security flaw that came to light in late March 2018 and was considered one of the most severe security flaws to affect the Drupal CMS since the original Drupalgeddon flaw discovered back in 2014.

The vulnerability allows attackers to take over a site just by accessing a malformed URL, no authentication required. Patches were made available for Drupal 6.x, 7.x, and 8.x versions.

Mursch’s scan didn’t look for 6.x and 8.x sites, but the 500,000 sites he managed to identify and scan are believed to be half of all the Drupal sites deployed online today.


Drupalgeddon 2


Drupal cryptojacking campaigns have expanded

Hackers started exploiting the Drupalgeddon 2 vulnerability only two weeks after patches came out because most hackers didn’t know how to attack the flaw. Exploitation attempts began soon after the publication of public proof-of-concept code.

Since then, the flaw has been used to infect servers with backdoors, coinminers, cryptojackers, and IoT botnet malware. Mursch himself previously discovered a large cryptojacking campaign using the Drupalgeddon 2 flaw to infect sites’ frontend code with an in-browser miner.

The researcher published a Google Docs spreadsheet at the start of May to track the original campaign, but now, the spreadsheet includes data on several different campaigns and thousands more compromised Drupal sites. With 115,000 of Drupal 7.x sites still without the Drupalgeddon 2 patch, these campaigns have loads of cannon fodder at their disposal.




Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:





Leave a Reply