Connect with us

Hi, what are you looking for?


Malware & Threats

Old Drupal Flaw Still Used to Hack Websites

More than 19 months after it was patched by Drupal developers, a critical SQL injection vulnerability in the popular content management system is still being exploited by malicious actors to hack websites.

More than 19 months after it was patched by Drupal developers, a critical SQL injection vulnerability in the popular content management system is still being exploited by malicious actors to hack websites.

The vulnerability in question, tracked as CVE-2014-3704 and dubbed by researchers “Drupalgeddon,” is related to a database abstraction API used in Drupal 7. The flaw allows attackers to execute arbitrary SQL queries, which can lead to privilege escalation or code execution. A patch was released on October 15, 2014.

Just two weeks after the availability of the patch was announced, Drupal warned users that all installations should be assumed compromised unless the fix was applied within 7 hours after its release.

Even today, there still are some organizations that haven’t patched the vulnerability. For instance, a version of Drupal plagued by this flaw had powered a customer portal of Panama-based law firm Mossack Fonseca, from which hackers recently leaked millions of emails, databases, images and documents.

Web security firm Sucuri has been monitoring attacks targeting CVE-2014-3704. According to the company, after the initial attacks in October and November 2014, when thousands of websites were targeted, the number of attacks dropped, but remained consistent throughout 2015 and 2016.

Drupal attacks

“If someone had not patched, they are surely compromised now. But that doesn’t stop attackers from trying to find new entry points and even compromise already compromised sites,” Sucuri explained in a blog post on Tuesday.

In most cases, malicious actors have leveraged the SQL injection vulnerability to create new admin accounts on Drupal websites, including ones named Derevos, Holako and Mr.R00t2_404. It’s unclear what attackers are doing once they gain access to these sites because Sucuri blocked all the attempts it detected before hackers could cause any damage.

Advertisement. Scroll to continue reading.

However, the security firm noted that it has observed an increase in SEO spam attacks against Drupal 7 websites.

Related Reading: Critical Drupal Updates Patch Several Vulnerabilities

Related Reading: Drupal Starts Patching Update Process Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.