Security Experts:

Connect with us

Hi, what are you looking for?



Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2

The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.

The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.

Researcher Troy Mursch recently conducted an analysis of websites running Drupal 7, the most widely used version of the content management system (CMS), and apparently found that many of them had still not patched the Drupalgeddon2 vulnerability.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running older versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version of Drupal they had been using could not be determined.

These numbers are apparently based on data from the publicly accessible “CHANGELOG.txt” file found on each website – sites using Drupal 7.58 or a later version were classified as not vulnerable while earlier versions were counted as affected.

“Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector,” the Drupal Security Team said in a statement posted on its website and sent out to journalists. “Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.”

“We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information,” it added.

In an update to his initial blog post, Mursch says it’s impossible to determine exactly how many Drupal websites are still vulnerable to Drupalgeddon2 attacks without actually attempting to exploit the vulnerability.

“While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did unless we perform the actual exploit,” Mursch said.

“Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal,” he added.

Drupalgeddon2, tracked as CVE-2018-7600, allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The flaw has been patched with the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for the outdated Drupal 6.

Drupalgeddon2 has been exploited by malicious actors to deliver cryptocurrency miners, backdoors, RATs and tech support scams.

During the analysis of Drupalgeddon2, the Drupal Security Team and the developer who reported the original vulnerability identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet