Cyber Resilience

CVE-2018-7600

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 29 March 2018

Published
29 March 2018
Modified
31 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9449 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-7600 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Drupal Drupal. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-7600 is a remote code execution vulnerability affecting Drupal versions prior to 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. The flaw stems from an input validation issue (CWE-20) impacting multiple subsystems when default or common module configurations are in use, enabling unauthenticated attackers to inject and execute arbitrary code on the server.

The vulnerability can be exploited remotely over the network by unauthenticated attackers without user interaction, as reflected in its CVSS 3.1 score of 9.8. Successful exploitation grants full control over the affected Drupal installation, allowing arbitrary code execution that can lead to complete compromise of confidentiality, integrity, and availability.

Advisories and references, including Drupal security announcement SA-CORE-2018-002, direct users to apply the listed version updates to remediate the issue. Public references also note the availability of proof-of-concept code and scanning data indicating more than 100,000 exposed Drupal sites at the time of disclosure.

The issue, sometimes referred to as Drupalgeddon 2, saw rapid public analysis and exploit development following its 2018 publication, consistent with the provided references to vulnerability scanners and exploit repositories.

EU & UK References

Vulnerability details

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

drupal
drupal
≤ 7.57 · 8.0.0 — 8.3.9 · 8.4.0 — 8.4.6
debian
debian linux
7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to block the arbitrary code injection that enables unauthenticated RCE in vulnerable Drupal subsystems.

prevent

Mandates prompt application of security patches, directly closing the input-validation flaw present in all listed pre-2018 Drupal versions.

prevent

Enforces least functionality by disabling or restricting unnecessary modules and default configurations that the CVE exploits.

References