CISA has given US government agencies until Wednesday evening to protect their servers against a SQL injection vulnerability in the Drupal content management system (CMS) that has been flagged as exploited.
Drupal is often used by large organizations that manage large data structures and multi-site installations, including government agencies, educational organizations, major research universities, and high-profile business and media organizations.
Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in the Drupal database API.
Security flaws can be exploited without authentication, allowing attackers to inadvertently trigger SQL injection on PostgreSQL-enabled sites through specially crafted requests. Successful exploitation can lead to information disclosure, privilege escalation, and even remote code execution.
Drupal’s security team marked the bug as “critical” before releasing patches and confirming that exploit attempts were found in the wild.
“Since the release of CVE-2026-9082, Imperva has seen more than 15,000 attack attempts targeting nearly 6,000 sites in 65 countries,” cybersecurity firm Imperva warned on May 21. “Attacks have mainly targeted Gaming and Financial Services sites so far, with nearly 50% across all sectors.”
Internet security watchdog group Shadowserver now tracks nearly 670 unpublished Drupal installations exposed online, most of them from North America (272) and Europe (273).
On Friday, the Cybersecurity and Infrastructure Security Agency (CISA) of the US added a flaw to its catalog known as Known Exploited Vulnerabilities (KEV) and ordered the agencies of the Federal Civilian Executive Branch (FCEB) to amend their plans by midnight on Wednesday, May 27, as directed by the Binding Operational Directive (BOD22-01)
Although BOD 22-01 applies only to US government agencies, CISA advises all defenders, including those in the private sector, to apply CVE-2026-9082 patches as soon as possible to protect their organizations’ devices.
“This type of vulnerability is a common attack by malicious cyber actors and poses a significant risk to government business. [..] Although BOD 22-01 applies only to FCEB agencies, CISA strongly encourages all organizations to reduce their exposure to cyber attacks by prioritizing the timely preparation of the KEV Catalog at risk as part of their risk management,” the cyber security agency warned.
“Use mitigations in each vendor’s instructions, follow applicable BOD 22-01 guidelines for cloud services, or stop using the product if mitigations are not available.”
Over the past few years, CISA has flagged 5 Drupal vulnerabilities that have been exploited in the wild, two of which have been exploited in ransomware attacks.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
