CISA Orders Federal Agencies to Patch Actively Exploited Drupal SQL Injection Flaw by Wednesday
- Sara Montes de Oca
- 2 days ago
- 2 min read
The U.S. Cybersecurity and Infrastructure Security Agency has given federal civilian agencies until midnight on Wednesday, May 27, to patch a critical SQL injection vulnerability in the Drupal content management system that is already being actively exploited in the wild.
The flaw, tracked as CVE-2026-9082, was discovered by Google/Mandiant researcher Michael Maturi in Drupal's database abstraction API. It allows unauthenticated attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites through specially crafted requests, potentially leading to information disclosure, privilege escalation, and remote code execution.
The Drupal security team rated the vulnerability "highly critical" before releasing patches and confirming that exploitation attempts had already been detected.
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities Catalog on Friday and issued the patching deadline to Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.
The scale of exploitation attempts has been significant. Cybersecurity firm Imperva warned on May 21 that it had observed more than 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries since the vulnerability was disclosed.
"Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks," Imperva said.
Internet security watchdog group Shadowserver is now tracking close to 670 unpatched Drupal installations that remain exposed online. The majority are concentrated in North America, with 272 unpatched instances, and Europe, with 273.
Drupal is widely used by large organizations that manage complex data structures and multi-site deployments, including government entities, educational institutions, major research universities, and high-profile enterprise and media organizations — making the attack surface particularly sensitive.
CISA emphasized that while BOD 22-01 binds only federal agencies, the directive's guidance extends as a strong recommendation to the broader private sector. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the agency warned, urging all organizations to prioritize timely remediation.
CISA's advisory instructs defenders to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if patches are unavailable.
The agency has now flagged five Drupal vulnerabilities as exploited in the wild over the past several years, two of which were also used in ransomware attacks — underscoring the platform's persistent appeal as a target for threat actors.
With hundreds of unpatched installations still exposed and attack attempts accelerating across dozens of countries, the Wednesday deadline reflects how quickly CVE-2026-9082 has moved from disclosure to active exploitation at scale.
