Drupal has issued an urgent warning that attackers are actively exploiting a critical SQL injection vulnerability disclosed earlier this week, according to a report by BleepingComputer on 22 May. The flaw, located in Drupal's core database abstraction layer, requires no authentication to trigger and affects all publicly accessible Drupal installations.
The vulnerability allows remote attackers to execute arbitrary SQL queries against the underlying database, potentially exposing sensitive data, administrative credentials, and configuration information. Security researchers have observed automated scanning and exploitation attempts beginning within hours of the advisory's publication, highlighting the shrinking window between disclosure and weaponization.
Immediate Patching Required
Drupal has released patched versions addressing this critical flaw. Organizations running Drupal installations should immediately upgrade to the latest security releases specified in the official advisory. The update process involves:
- Backup your database and files before applying any patches
- Download the latest patched release from the official Drupal security page
- Apply the update using your standard deployment workflow (Composer, manual replacement, or platform-specific update mechanisms)
- Clear all caches after the update completes
- Verify the installation by checking the status report and confirming the patched version number
For environments where immediate patching is not operationally feasible, deploy compensating controls as interim measures. Configure web application firewalls to block anomalous SQL query patterns, particularly those targeting database abstraction layer endpoints. Enforce strict network-level access restrictions to administrative interfaces and enable enhanced database activity logging to detect exploitation attempts.
Monitoring for Compromise
Security teams should implement monitoring for indicators of compromise, including unusual database query patterns, unexpected administrative account creation, and anomalous outbound data transfers. Review web server logs for repeated requests to endpoints that interact with the database abstraction layer, especially those containing SQL injection payloads.
Database administrators should audit recent query logs for suspicious SELECT statements that deviate from normal application behavior. Pay particular attention to queries attempting to extract user credentials, configuration tables, or sensitive content from the database.
Broader Relevance to Hong Kong IT Teams
This vulnerability is broadly relevant to organizations in Hong Kong that rely on Drupal for content management, particularly those in media, education, and professional services sectors. IT teams managing Drupal deployments should treat this update as a critical infrastructure priority rather than routine maintenance.
The rapid weaponization of this vulnerability underscores the importance of automated vulnerability scanning and CI/CD-driven patch deployment workflows. Organizations still relying on manual update cycles face increasing risk as attackers leverage open-source advisories to identify and target vulnerable systems within hours of disclosure.
Long-Term Security Posture
While compensating controls can mitigate risk during the patching window, they do not permanently close the injection vector. The official security update remains the only complete remediation. Organizations should integrate automated patch management into their deployment pipelines to reduce the gap between vulnerability disclosure and remediation.
Regular security audits, penetration testing, and dependency tracking help identify vulnerable components before attackers do. Establishing a formal vulnerability management program ensures that critical updates receive appropriate priority and resources.
According to BleepingComputer, the Drupal security team continues to monitor exploitation attempts and may release additional guidance as the situation develops. Organizations should subscribe to Drupal security announcements and maintain current contact information with their hosting providers to receive timely notifications.
Drupal 發出緊急警告,指攻擊者正積極利用本週初披露的一個嚴重 SQL injection 漏洞。據 BleepingComputer 5月22日報道,該漏洞位於 Drupal 核心 database abstraction layer,無需身份驗證即可觸發,影響所有公開存取的 Drupal 安裝。
該漏洞允許遠程攻擊者對底層數據庫執行任意 SQL queries,可能洩露敏感數據、管理員憑證及配置資訊。安全研究人員觀察到,在公告發布後數小時內已出現自動掃描和利用嘗試,突顯漏洞披露與武器化之間的時間窗口正不斷縮短。
必須立即修補
Drupal 已發布修補版本以解決此嚴重漏洞。使用 Drupal 的機構應立即升級至官方公告中指定的最新安全版本。更新程序包括:
- 備份數據庫及檔案,然後才套用任何修補程式
- 從 Drupal 官方安全頁面下載最新修補版本
- 使用標準部署工作流程套用更新(Composer、手動替換或平台特定的更新機制)
- 更新完成後清除所有 caches
- 檢查安裝狀態,核實狀態報告並確認已修補的版本號碼
對於無法即時進行 patching 的環境,應部署補償性控制措施作為臨時方案。配置 web application firewalls 以阻擋異常 SQL query 模式,特別是針對 database abstraction layer endpoints 的請求。對管理介面實施嚴格的網絡級別存取限制,並啟用增強的數據庫活動日誌記錄,以便偵測利用嘗試。
監測是否遭入侵
安全團隊應實施指標監測,包括異常的數據庫 query 模式、未經預期的管理員帳戶創建,以及異常的出站數據傳輸。檢查 web server logs 中對與 database abstraction layer 交互的 endpoints 的重複請求,特別是包含 SQL injection payloads 的請求。
數據庫管理員應審計最近的 query logs,查找偏離正常應用行為的可疑 SELECT statements。特別留意嘗試從數據庫中提取用戶憑證、配置表或敏感內容的 queries。
對香港 IT 團隊的廣泛相關性
此漏洞與依賴 Drupal 進行 content management 的香港機構廣泛相關,特別是媒體、教育和專業服務行業的機構。管理 Drupal 部署的 IT 團隊應將此更新視為關鍵基礎設施優先事項,而非例行維護。
此漏洞被迅速武器化,突顯了自動 vulnerability scanning 和 CI/CD 驅動的 patch deployment workflows 的重要性。仍依賴手動更新週期的機構正面臨日益增加的風險,因為攻擊者利用 open-source advisories 在漏洞披露後數小時內識別並鎖定脆弱系統。
長遠安全防護
雖然補償性控制措施可在 patching 窗口期間降低風險,但無法永久關閉 injection vector。官方安全更新仍然是唯一的完整修復方案。機構應將自動 patch management 整合到 deployment pipelines 中,以縮短漏洞披露與修復之間的差距。
定期 security audits、penetration testing 和 dependency tracking 有助於在攻擊者之前識別脆弱組件。建立正式的 vulnerability management program 可確保關鍵更新獲得適當的優先級和資源。
據 BleepingComputer 報道,Drupal 安全團隊持續監測利用嘗試,並可能隨著事態發展發布額外指引。機構應訂閱 Drupal 安全公告,並與 hosting providers 保持最新的聯絡資訊,以便及時接收通知。