Drupalgeddon 2 & 3 Madness: Exposing Websites to Critical Vulnerabilities

Etai Hochman
May 8, 2018 · 3 min read

At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.

In the past few months, Content Management System (CMS) giant Drupal made several announcements that have broad ramifications for online security. Drupal is an open-source framework which is the second largest CMS in the world and serves 9% of all CMS-backed websites.

On March 28th, Drupal first announced the discovery of Drupalgeddon 2, a Remote Code Execution (RCE) Vulnerability (CVE-2018–7600) affecting all Drupal releases to date. Soon after on April 12th, the first proof-of-concept code was made publicly available for research, yet the code had already been used by attackers remotely and anonymously to exploit Drupal websites.

On April 25th, Drupalgeddon 3 was released, another critical Drupal RCE vulnerability. Sophisticated hackers were able to exploit the code hours after the publication of the vulnerability. Proofs of concept were released several days later, enabling less sophisticated hackers to utilize the vulnerability as well.

Hackers love RCE vulnerabilities, which enable attackers to make money from two paths. The first path allows the attacker to hijack more resources in the network and the second path allows the attacker to also infect the website’s visitors.

Image for post
Example of a kill chain relevant to Drupalgeddon 2

Once their malicious code is running, hackers have a variety of options, including mining cryptocurrency, stealing data, and installing ransomware.

Image for post
Map of potential hacker options after malicious code is installed

additional technical details of the vulnerabilities can be found at the following sites:

Severity and likelihood of RCE exploits


RCE are the most critical vulnerabilities due to the severity of a successful attack.

Normally a successful attack would lead to pawning of a single server and the infection of all of the website’s visitors. In the worst case, the attacker would also move laterally in the network to hijack more servers.


Attackers will act indiscriminately using search engines (such as Shodan) to automate the discovery of websites with Drupal. Readily available code will enable the automation of the process to attack large batches of companies.

Easily automatable vulnerabilities lead to a high likelihood of attack.

Impact on cyber insurance

This Drupal vulnerability is one of many implementations of RCE Vulnerabilities with multiple impacts on companies.

These types of attacks are likely to lead to the following types of insurable damages:

  1. Cyber Attack: Including the cost of contractors to help respond to an incident
  2. Extortion: Payment demanded by the attacker
  3. Business interruption: Resulting in loss of revenues from the website or lack of productivity
  4. Data Breach: Notification, legal, credit monitoring, and regulatory costs

The same post-breach graph, color coded with the triggered coverages.

Image for post
How different hacker route trigger different kinds of insurable damage

How to protect against Drupalgeddon attacks

Patch! The Drupal security team has created an FAQ to help their users patch and make sure they are secure.

However, patching is sometimes difficult, and always takes time. Sophisticated hackers exploit new vulnerabilities in a matter of hours, and less sophisticated hackers within days. Therefore, patching is a less viable solution to keep organizations safe.

A better approach than patching as soon as every vulnerability is published is to use security technology designed to keep assets safe. An available solution for websites and web applications is a Web Application Firewall (WAF), which provides a buffer for the time required to patch.

We can safely recommend the following WAF vendors Incapsula, Cloudfare, and Sucuri to reinforce security and reduce exposure to vulnerabilities.

Etai Hochman

At-Bay, CTO


Cyberinsurance for the digital age | www.at-bay.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store