CISA has given U.S. authorities companies till Wednesday night to safe their servers in opposition to an SQL injection vulnerability within the Drupal content material administration system (CMS) that it flagged as actively exploited.
Drupal is usually utilized by giant organizations managing large knowledge buildings and multi-site installations, together with authorities entities, academic organizations, main analysis universities, and high-profile enterprise and media organizations.
Google/Mandiant researcher Michael Maturi found this vulnerability (now tracked as CVE-2026-9082) in Drupal’s database abstraction API.
The safety flaw will be exploited with out authentication, permitting attackers to set off arbitrary SQL injection on PostgreSQL-powered websites through specifically crafted requests. Profitable exploitation can doubtlessly result in info disclosure, privilege escalation, and even distant code execution.
The Drupal safety crew tagged the flaw as “extremely important” earlier than releasing patches and confirming that exploitation makes an attempt had been detected within the wild.
“Since CVE-2026-9082 was launched, Imperva has noticed over 15,000 assault makes an attempt focusing on nearly 6,000 particular person websites throughout 65 nations,” cybersecurity agency Imperva warned on Might 21. “Assaults are primarily focusing on Gaming and Monetary Companies websites thus far, at collectively nearly 50% of all assaults.”
Web safety watchdog group Shadowserver now tracks practically 670 unpatched Drupal installations uncovered on-line, most of them from North America (272) and Europe (273).
​On Friday, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the flaw to its Identified Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Government Department (FCEB) companies to patch their methods by midnight on Wednesday, Might 27, as mandated by Binding Operational Directive (BOD) 22-01.
Though BOD 22-01 applies solely to U.S. federal companies, CISA suggested all defenders, together with these within the personal sector, to use CVE-2026-9082 patches as quickly as potential to safe their organizations’ units.
“This kind of vulnerability is a frequent assault vector for malicious cyber actors and poses important dangers to the federal enterprise [..] Though BOD 22-01 solely applies to FCEB companies, CISA strongly urges all organizations to scale back their publicity to cyberattacks by prioritizing well timed remediation of KEV Catalog vulnerabilities as a part of their vulnerability administration apply,” the cybersecurity company warned.
“Apply mitigations per vendor directions, comply with relevant BOD 22-01 steerage for cloud providers, or discontinue use of the product if mitigations are unavailable.”
Over the past a number of years, CISA has flagged 5 Drupal vulnerabilities which were exploited within the wild, two of which have additionally been abused in ransomware assaults.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by means of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you truly have to validate.
