The Drupal team publicly acknowledged a serious vulnerability in the open source CMS Drupal on March with the release of a patch to address the vulnerability. The vulnerability stemming from insecure handling of user inputs received from form API AJAX requests allows unauthenticated remote code execution in the affected website. The vulnerability can be leveraged to completely take over an affected website.
The POC exploit for the vulnerability has been recently released by a Russian security researcher after Check Point and Dofinity published the technical details of the vulnerability. Following the public release of the exploit, researchers from Sucuri, Imperva, and the SANS Internet Storm Center have observed automated attempts to exploit the vulnerability named Drupalgeddon2 originating from hundreds of sources. Many attempts to exploit more than a million websites built on Drupal have been detected over the past couple of days.
This vulnerability that affects Drupal versions 6 to 8 is being used to compromise sites to embed cryptominers within them. This exploit has further boosted the injection of cryptominers by taking over websites which has been a trend among malicious actors for quite some time now.
Many reputed IT professionals have publicly warned against the issue. They unsurprisingly have asked people to immediately update Drupal to the patched version and to considered themselves hacked if they do not do so immediately. To remove the vulnerability, website administrators should immediately upgrade to Drupal 7.58 or Drupal 8.5.1. While Drupal 6, also affected by the vulnerability, is no longer supported, a patch was still provided to address the vulnerability in this version.