Drupal Remote Code Execution


There is now public proof of concept code to exploit this vulnerability:  and Drupal have released updated information on the vulnerability:

"any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable" 

[The advisory text below has been updated with this information]


On the 20th February Drupal published a critical security advisory outlining a remote code execution vulnerability. The Drupal announcement of this vulnerability is here:

A site is only affected by this if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
  • the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.


Shielding Status

At this time our assessment is that RedShield customers are not vulnerable as RedShield will by default:

  1. block command execution attempts which may be delivered as part of any payload attempting to exploit this vulnerability including code embedded in serialised PHP. 
  2. block HTTP PATCH requests


Exploit Proof of Concept 

Public proof of concept code has been released here: 


Recommended Actions

  1. Upgrade Drupal. Even though we believe RedShield customers are not vulnerable Drupal users should upgrade. There is little detail on how the vulnerability is exploited so a full assessment of risk is difficult at this stage.
  2. If you are running Drupal please get in touch with RedShield Support:


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request