Drupal has announced a “core security release” scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure.
Administrators are urged to reserve time for core updates on May 20 between 17:00 and 21:00 UTC. Website administrators running versions 8 or 9 are strongly recommended to upgrade to at least version 10.6.
The Drupal content management system (CMS) is very popular among large organizations as well as in the government, education, and healthcare sectors.
According to the public service announcement, the vulnerability affects Drupal core versions 8 and later, but the advisory clarifies that not all configurations are impacted. Security updates will be available for the following versions:
- Drupal 11.3.x
- Drupal 11.2.x
- Drupal 11.1x
- Drupal 10.6.x
- Drupal 10.5.x
- Drupal 10.4x
Drupal notes that, although versions 11.1x and 10.4x are no longer supported, fixes will still be provided for them due to the severity of the security issue; administrators should update to Drupal 11.1.9 and 10.4.9.
Drupal 8 and 9, which have reached end-of-life, will receive no patches, but hotfix files will be published for versions 9.5 and 8.9, allowing remediation for those running versions 9.5.11 or 8.9.20.
Sites using Drupal Steward are already protected against known attack vectors. An update is still recommended, though.
No technical details about the vulnerability were disclosed, and any information that may appear online about it could be fraudulent, intended to trick admins into taking risky actions. Hence, caution is advised.
“Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made,” warned Drupal.
Drupal website administrators should continue to monitor the platform’s official security portal throughout the day for more information and prepare to apply the security update as soon as it’s made available.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
