Security Experts:

Connect with us

Hi, what are you looking for?



Drupal RCE Flaw Exploited in Attacks Days After Patch

A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.

A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.

The flaw, tracked as CVE-2019-6340, is caused by the lack of proper data sanitization in some field types and it can allow an attacker to execute arbitrary PHP code. Exploitation is possible if the core RESTful Web Services module is enabled and it allows PATCH or POST requests. Attacks are also possible if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.

Drupal has released updates to address the vulnerability and told customers that they can mitigate it by disabling all web services modules, or configuring the server to not allow GET/PUT/PATCH/POST requests to web services resources.

The patches released on February 20 were quickly analyzed and technical details and proof-of-concept (PoC) code were released roughly two days later. Security firm Imperva revealed on Monday that it had started seeing attacks exploiting CVE-2019-6340 on February 23.

According to the company, it has observed hundreds of attack attempts aimed at dozens of its customers, including organizations in the government and financial services sectors. The malicious requests came from several threat groups and several countries.

Imperva says one of the most interesting payloads delivered in these attacks was a JavaScript-based cryptocurrency miner named CoinIMP. The tool is injected into the targeted website’s index.php file and it abuses the devices of the site’s visitors to mine Monero and other cryptocurrencies.

Attackers have also attempted to use the exploit to deliver a shell that allows them to upload arbitrary files to vulnerable Drupal sites.

Imperva also pointed out that attacks can be launched against websites whose administrators implemented the initial mitigations proposed by Drupal developers.

“[The exploit] continues to work even after following the Drupal team’s proposed remediation of disabling all web services modules and banning PUT/PATCH/POST requests to web services resources,” Imperva’s Edi Kogan explained. “Despite the fix, it is still possible to issue a GET request and therefore perform remote code execution as was the case with the other HTTP methods.”

Drupal developers have confirmed that the flaw has been exploited in the wild and made some clarifications regarding vulnerable components and mitigations.

Cybercriminals hacked many Drupal websites last year by exploiting two flaws dubbed Drupalgeddon2 and Drupalgeddon3. The attackers leveraged the vulnerabilities to deliver RATs, cryptocurrency miners and tech support scams.

Recent attacks also involved exploits that chained Drupalgeddon 2 with the DirtyCOW Linux kernel bug.

Related:Two Code Execution Flaws Patched in Drupal

Related: Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2

Related: Remote Code Execution Flaws Patched in Drupal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.