CISA has given U.S. authorities companies till Wednesday night to safe their servers towards an SQL injection vulnerability within the Drupal content material administration system (CMS) that it flagged as actively exploited.
Drupal is often utilized by giant organizations managing large information buildings and multi-site installations, together with authorities entities, instructional organizations, main analysis universities, and high-profile enterprise and media organizations.
Google/Mandiant researcher Michael Maturi found this vulnerability (now tracked as CVE-2026-9082) in Drupal’s database abstraction API.
The safety flaw will be exploited with out authentication, permitting attackers to set off arbitrary SQL injection on PostgreSQL-powered websites by way of specifically crafted requests. Profitable exploitation can probably result in info disclosure, privilege escalation, and even distant code execution.
The Drupal safety group tagged the flaw as “extremely important” earlier than releasing patches and confirming that exploitation makes an attempt had been detected within the wild.
Web safety watchdog group Shadowserver is now monitoring practically 670 unpatched Drupal installations uncovered on-line, most of them from North America (272) and Europe (273).
​On Friday, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the flaw to its Identified Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Govt Department (FCEB) companies to patch their methods by midnight on Wednesday, Might 27, as mandated by Binding Operational Directive (BOD) 22-01.
Though BOD 22-01 applies solely to U.S. federal companies, CISA suggested all defenders, together with these within the non-public sector, to use CVE-2026-9082 patches as quickly as attainable to safe their organizations’ gadgets.
“One of these vulnerability is a frequent assault vector for malicious cyber actors and poses important dangers to the federal enterprise [..] Though BOD 22-01 solely applies to FCEB companies, CISA strongly urges all organizations to cut back their publicity to cyberattacks by prioritizing well timed remediation of KEV Catalog vulnerabilities as a part of their vulnerability administration observe,” the cybersecurity company warned.
“Apply mitigations per vendor directions, comply with relevant BOD 22-01 steerage for cloud companies, or discontinue use of the product if mitigations are unavailable.”
During the last a number of years, CISA has flagged 5 Drupal vulnerabilities which were exploited within the wild, two of which have additionally been abused in ransomware assaults.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you really have to validate.
