Cybercriminals are actively exploiting a “highly critical” Drupal bug to deliver cryptocurrency miners and other malicious payloads.
The remote code execution vulnerability in Drupal Core was announced in a Feb. 20, 2019 security update, and is the result of some field types not properly sanitizing data from non-form sources leading to arbitrary PHP code execution in some cases. Drupal gave a heads up to prepare for the update a day before the release.
Users were advised to upgrade to Drupal 8.6.10 is using Drupal 8.6.x, upgrade to Drupal 8.5.11 if using Drupal 8.5.x or earlier, and to install any available security updates for contributed projects after updating Drupal core.
Imperva researchers have detected attacks stemming from various parts of the globe targeting those in government and the financial services industry and noted that the proposed mitigations actually do not foil the exploitation.