CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited.
Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations.
Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in Drupal’s database abstraction API.
The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution.
The Drupal security team tagged the flaw as “highly critical” before releasing patches and confirming that exploitation attempts had been detected in the wild.
Internet security watchdog group Shadowserver is now tracking nearly 670 unpatched Drupal installations exposed online, most of them from North America (272) and Europe (273).
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.
Although BOD 22-01 applies only to U.S. federal agencies, CISA advised all defenders, including those in the private sector, to apply CVE-2026-9082 patches as soon as possible to secure their organizations’ devices.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise [..] Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Over the last several years, CISA has flagged 5 Drupal vulnerabilities that have been exploited in the wild, two of which have also been abused in ransomware attacks.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
