RSS

CISA orders feds to patch actively exploited Drupal vulnerability

Brajeshwar1 pts0 comments

CISA orders feds to patch actively exploited Drupal vulnerability

Home<br>News<br>Security<br>CISA orders feds to patch actively exploited Drupal vulnerability

CISA orders feds to patch actively exploited Drupal vulnerability

By Sergiu Gatlan

May 26, 2026

04:46 AM

CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited.

Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations.

Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in Drupal's database abstraction API.

The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution.

The Drupal security team tagged the flaw as "highly critical" before releasing patches and confirming that exploitation attempts had been detected in the wild.

"Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries," cybersecurity firm Imperva warned on May 21. "Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks."

Internet security watchdog group Shadowserver now tracks nearly 670 unpatched Drupal installations exposed online, most of them from North America (272) and Europe (273).

Unpatched Drupal instances (Shadowserver)

​On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.

Although BOD 22-01 applies only to U.S. federal agencies, CISA advised all defenders, including those in the private sector, to apply CVE-2026-9082 patches as soon as possible to secure their organizations' devices.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise [..] Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice," the cybersecurity agency warned.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Over the last several years, CISA has flagged 5 Drupal vulnerabilities that have been exploited in the wild, two of which have also been abused in ransomware attacks.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Drupal: Critical SQL injection flaw now targeted in attacks<br>Microsoft warns of new Defender zero-days exploited in attacks<br>Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign<br>Trend Micro warns of Apex One zero-day exploited in the wild<br>CISA gives feds four days to patch Ivanti flaw exploited as zero-day

Actively Exploited

CISA

Drupal

PostgreSQL

Shadowserver

SQL Injection

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Laravel Lang packages hijacked to deploy credential-stealing malware

Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Sponsor Posts

Protect Your Business from Ecommerce Fraud

33% Rise in Healthcare Credential Theft in 2025: What you need to know

AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is...

exploited drupal cisa vulnerability flaw patch

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.