CVE-2018-7600

Name: CVE-2018-7600
Creator: NVD / NIST
Published: 2018-03-29T07:29:00.26+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.99%

Last modified Jun 17, 2026

CVE-2018-7600 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.99% chance of exploitation in the next 30 days.

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.99%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by May 3, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Drupal	Drupal	<= 7.57
Drupal	Drupal	>= 8.0.0, < 8.3.9
Drupal	Drupal	>= 8.4.0, < 8.4.6
Drupal	Drupal	>= 8.5.0, < 8.5.1
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

http://www.securityfocus.com/bid/103534Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1040598Broken Link, Third Party Advisory, VDB Entry
https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/Broken Link, Third Party Advisory
https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714Third Party Advisory
https://github.com/a2u/CVE-2018-7600Third Party Advisory
https://github.com/g0rx/CVE-2018-7600-Drupal-RCEPatch, Third Party Advisory
https://greysec.net/showthread.php?tid=2912&pid=10561Broken Link, Issue Tracking, Third Party Advisory
https://groups.drupal.org/security/faq-2018-002Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00028.htmlThird Party Advisory
https://research.checkpoint.com/uncovering-drupalgeddon-2/Exploit, Third Party Advisory
https://twitter.com/RicterZ/status/979567469726613504Broken Link, Third Party Advisory
https://twitter.com/RicterZ/status/984495201354854401Broken Link, Third Party Advisory
https://twitter.com/arancaytar/status/979090719003627521Third Party Advisory
https://www.debian.org/security/2018/dsa-4156Third Party Advisory
https://www.drupal.org/sa-core-2018-002Vendor Advisory
https://www.exploit-db.com/exploits/44448/Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/44449/Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/44482/Exploit, Third Party Advisory, VDB Entry
https://www.synology.com/support/security/Synology_SA_18_17Third Party Advisory
https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-knowThird Party Advisory
http://www.securityfocus.com/bid/103534Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1040598Broken Link, Third Party Advisory, VDB Entry
https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/Broken Link, Third Party Advisory
https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714Third Party Advisory
https://github.com/a2u/CVE-2018-7600Third Party Advisory
https://github.com/g0rx/CVE-2018-7600-Drupal-RCEPatch, Third Party Advisory
https://greysec.net/showthread.php?tid=2912&pid=10561Broken Link, Issue Tracking, Third Party Advisory
https://groups.drupal.org/security/faq-2018-002Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00028.htmlThird Party Advisory
https://research.checkpoint.com/uncovering-drupalgeddon-2/Exploit, Third Party Advisory
https://twitter.com/RicterZ/status/979567469726613504Broken Link, Third Party Advisory
https://twitter.com/RicterZ/status/984495201354854401Broken Link, Third Party Advisory
https://twitter.com/arancaytar/status/979090719003627521Third Party Advisory
https://www.debian.org/security/2018/dsa-4156Third Party Advisory
https://www.drupal.org/sa-core-2018-002Vendor Advisory
https://www.exploit-db.com/exploits/44448/Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/44449/Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/44482/Exploit, Third Party Advisory, VDB Entry
https://www.synology.com/support/security/Synology_SA_18_17Third Party Advisory
https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-knowThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7600US Government Resource

Timeline

Published: Mar 29, 2018
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2018-7600?

How severe is CVE-2018-7600?

CVE-2018-7600 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.99% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2018-7600?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-7600?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST