CVE-2018-7600

CVE-2018-7600 is a critical-severity vulnerability in Drupal with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-20.

Key facts

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CVE-2018-7600: Drupal Core Remote Code Execution (Drupalgeddon 2)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2018-7600
Published 2018-03-29
CVSS v3 9.8 (Critical)
CVSS v2 7.5
EPSS 0.99993 (99.99th percentile)
KEV Yes (since 2021-11-03)
CWE CWE-20: Improper Input Validation

Summary

Remote code execution vulnerability in Drupal core affecting multiple subsystems under default or common module configurations, enabling unauthenticated attackers to execute arbitrary code on the target server.

Background

CVE-2018-7600, widely known as "Drupalgeddon 2", is a critical remote code execution vulnerability in the Drupal content management framework. It was disclosed in March 2018 and affects all unpatched Drupal 7 and 8 installations running default or common module configurations. The vulnerability has been actively exploited in the wild since its disclosure, as confirmed by CISA's Known Exploited Vulnerabilities Catalog.

Root Cause

The vulnerability stems from CWE-20: Improper Input Validation. Multiple Drupal subsystems fail to adequately sanitize user-supplied input, allowing unauthenticated remote attackers to inject and execute arbitrary code. The flaw affects the routing and form API subsystems, where insufficient input validation enables malicious payloads to reach sensitive code paths.

Impact

With a CVSS v3 score of 9.8 (Critical) and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability enables:

  • Confidentiality: HIGH — attackers can read sensitive data including database contents and configuration files.
  • Integrity: HIGH — attackers can modify data, inject backdoors, and alter application logic.
  • Availability: HIGH — attackers can disrupt service or deploy malware.

The CVSS v2 score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) also reflects severe network-exploitable risk. No authentication is required, attack complexity is low, and no user interaction is needed, making this trivially exploitable at scale.

Exploitation Walkthrough

Ethics Notice: This section is provided for defensive awareness only. The details below are generic and do not constitute a working exploit. Security practitioners should use this information to understand attack surface and improve detection controls.

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to vulnerable Drupal endpoints. The attack leverages insufficient input validation within the form API or routing subsystems to reach sensitive code paths. Successful exploitation typically results in arbitrary PHP code execution on the server, often leading to full site compromise, database exfiltration, cryptocurrency miner deployment, or persistent backdoor installation.

Affected and Patched Versions

Affected:

  • Drupal 7.x before 7.58
  • Drupal 8.x before 8.3.9
  • Drupal 8.4.x before 8.4.6
  • Drupal 8.5.x before 8.5.1
  • Debian Linux 7.0, 8.0, and 9.0 distributions shipping affected Drupal packages

Patched:

  • Drupal 7.58 and later
  • Drupal 8.3.9 and later (8.3.x)
  • Drupal 8.4.6 and later (8.4.x)
  • Drupal 8.5.1 and later (8.5.x)

Remediation

  1. Upgrade immediately to the latest patched version of Drupal core (7.58+ for 7.x, 8.5.1+ for 8.x, or migrate to a supported Drupal 9/10/11 release).
  2. Compensating controls (if patching is not immediately possible):
    • Apply vendor-provided Web Application Firewall (WAF) rules from the Drupal security team.
    • Restrict access to Drupal administrative and form endpoints by source IP where feasible.
    • Implement additional input validation and sanitization at the network edge.
  3. Incident response: Review all Drupal installations for signs of compromise. This vulnerability has been widely exploited in the wild since 2018; assume breach if you were running an unpatched instance.

Detection

  • Monitor web server logs for suspicious POST requests to Drupal form and routing endpoints.
  • Look for unexpected file writes or PHP execution in the Drupal webroot.
  • Scan for unauthorized administrator accounts, modified configuration files, or new modules.
  • Check for known indicators of compromise (IoCs) from Drupal security advisories and CISA alerts.
  • Deploy WAF signatures specific to CVE-2018-7600 to block exploit attempts at the perimeter.
  • Monitor for abnormal outbound network traffic from web servers, which may indicate post-exploitation activity.

Assessment

  • EPSS: 0.99993 with a percentile of 0.99986 — this places the vulnerability in the highest risk tier, indicating near-certain exploitation probability in the wild.
  • KEV: Added to CISA's Known Exploited Vulnerabilities Catalog on 2021-11-03. Active exploitation has been confirmed for years, making this a top-priority patching target.
  • Lessons:
    1. Default configurations in widely deployed frameworks are high-value targets; input validation must be rigorously enforced at every subsystem boundary, not just surface-level entry points.
    2. The years-long gap between disclosure (2018-03-29) and KEV catalog inclusion (2021-11-03) underscores that even well-known, high-severity vulnerabilities require persistent patching discipline and continuous asset inventory.

References

Frequently asked questions

What is CVE-2018-7600?
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
How severe is CVE-2018-7600?
CVE-2018-7600 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-7600 being actively exploited?
Yes. CVE-2018-7600 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-7600?
CVE-2018-7600 primarily affects Drupal. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-7600?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-7600 have an EU (EUVD) identifier?
Yes. CVE-2018-7600 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-2985. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2018-7600 published?
CVE-2018-7600 was published on 2018-03-29 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Drupal

All CVEs affecting Drupal →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →