Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Important Information about the Drupal "Drupalgeddon2" Vulnerability

    • Updated:
    • 9 Jul 2018
    • Product/Version:
    • Deep Discovery Analyzer
    • Deep Discovery Inspector
    • Deep Security
    • Deep Security As A Service
    • OfficeScan
    • ScanMail for Exchange
    • ServerProtect
    • Smart Protection Server
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Services
    • Platform:
    • N/A N/A

Updated: April 24, 7:00 PM GMT

On March 28, 2018, Drupal - one of the world's largest open-source web content management platforms reportedly used by over one million sites - issued a highly critical security advisory (SA-CORE-2018-002) which highlights a remote code execution (RCE) vulnerability in versions 6, 7, and 8 of the platform, that if left unpatched, could allow a potential unauthenticated attacker to exploit multiple attack vectors on a site and fully compromise it.

The vulnerability has been nicknamed "Drupalgeddon2" after another recent security flaw and has been assigned the following CVE identifier: CVE-2018-7600.


Vendor Solution

Drupal's recommendation for users running versions 7.x or 8.x core is either to upgrade immediately to the latest versions - currently 7.58 and 8.5.1, or alternately apply the available patches linked in the security advisory.

Even though version 6.x is affected, it has reached End of Life, and Drupal is recommending either to upgrade to a currently supported version or consult the Drupal 6 Long Term Support project.

Drupal also has released a FAQ on this issue located here.  

Trend Micro Recommendation and Solutions

As with any vulnerability, Trend Micro highly recommends that users apply all critical patches and fixes that vendors provide for security issues as soon as possible. These patches will provide the strongest level of defense against any potential attacks.

Since this vulnerability potentially impacts a large number of sites - it is strongly recommended that patches or upgrades are applied as quickly as possible.

At the current time, there is no known public proof-of-concept (POC) or exploit code, however, with the public disclosure of the vulnerability - security researchers (and presumably would-be attackers) are already analyzing the patches. Due to the relative size of potential targets, it is estimated that an exploit or attack may begin to appear within days.

Fortunately, Trend Micro has analyzed the information to see if proactive protection rules and filters may be created to help protect against potential attacks, and has deployed the following:

ProductProtection TypeIdentifier
Deep SecurityIntrusion Prevention Rule11008970 - Drupal Core RCE Vulnerability (CVE-2018-7600)
TippingPointDV Toolkit CSW Filter1

CVE-2018-7600.csw includes 2 filters:

  • Filter C1000001: HTTP: Drupal Core Multiple Subsystems Input Validation Vulnerability (GET)
  • Filter C1000002: HTTP: Drupal Core Multiple Subsystems Input Validation Vulnerability (POST)
Deep Discovery InspectorDDI Rule3575 - CVE-2018-7600 - Remote Code Execution - HTTP (Request) Beta
Anti-Malware  ProductsVSAPI Pattern14.204.06 - ELF64_MUHSTIK.A
Anti-Spware ProductsSpyware (SSAPI) Pattern1.940.44 - HKTL_CVE20187600

1 Due to the nature of the Deep Security rules and TippingPoint filters, certain environments may experience false positives. Customers are advised to review triggers in their networks and put the rules/filters in prevent mode if necessary.

In addition, by default, all filters in the DV Toolkit (DVT) are not enabled and have no recommendation action set.  More information on deploying DVT packages can be found here or by contacting Trend Micro TippingPoint Technical Assistance Center (TAC) with additional questions.


Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.