Vulnerability Details : CVE-2018-7600
Public exploit exists!
Used for ransomware!
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Vulnerability category: Input validationExecute code
CVE-2018-7600 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Drupal Core Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2018-7600
Probability of exploitation activity in the next 30 days: 97.57%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2018-7600
-
Drupal Drupalgeddon 2 Forms API Property Injection
Disclosure Date: 2018-03-28First seen: 2020-04-26exploit/unix/webapp/drupal_drupalgeddon2This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. Authors: - Jasper Mattsson - a2u - Nixawk - FireFart - wvu <wvu@metasploit.com>
CVSS scores for CVE-2018-7600
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-7600
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-7600
-
https://twitter.com/RicterZ/status/984495201354854401
Twitter / ?Third Party Advisory
-
https://www.exploit-db.com/exploits/44449/
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
https://greysec.net/showthread.php?tid=2912&pid=10561
Any Exploit Code For "CVE-2018-7600"Issue Tracking;Third Party Advisory
-
https://twitter.com/RicterZ/status/979567469726613504
Twitter / ?Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4156
Debian -- Security Information -- DSA-4156-1 drupal7Third Party Advisory
-
http://www.securityfocus.com/bid/103534
Drupal Core CVE-2018-7600 Multiple Remote Code Execution VulnerabilitiesThird Party Advisory;VDB Entry
-
https://groups.drupal.org/security/faq-2018-002
FAQ about SA-CORE-2018-002 | Drupal GroupsVendor Advisory
-
https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
Critical Drupal Core Vulnerability: What You Need to Know - Blog | Tenable®Third Party Advisory
-
https://www.exploit-db.com/exploits/44448/
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)Exploit;Third Party Advisory;VDB Entry
-
https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
Remote Code Execution with Drupal core (SA-CORE-2018–002)Third Party Advisory
-
https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
GitHub - g0rx/CVE-2018-7600-Drupal-RCE: CVE-2018-7600 Drupal RCEPatch;Third Party Advisory
-
https://www.drupal.org/sa-core-2018-002
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | Drupal.orgVendor Advisory
-
https://www.exploit-db.com/exploits/44482/
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/
Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600) – Bad PacketsThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
[SECURITY] [DLA 1325-1] drupal7 security updateThird Party Advisory
-
https://github.com/a2u/CVE-2018-7600
GitHub - a2u/CVE-2018-7600: 💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002Third Party Advisory
-
https://research.checkpoint.com/uncovering-drupalgeddon-2/
Uncovering Drupalgeddon 2 - Check Point ResearchExploit;Third Party Advisory
-
https://www.synology.com/support/security/Synology_SA_18_17
Synology Inc.Third Party Advisory
-
https://twitter.com/arancaytar/status/979090719003627521
aran on Twitter: "The CVE is (obviously) coy about the actual exploit, but there's one subsystem that has been there for some ~12 years, relatively slow to change, and uses "#" as a control characterThird Party Advisory
-
http://www.securitytracker.com/id/1040598
Drupal Form API Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
Products affected by CVE-2018-7600
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*