Malicious hackers wasted no time exploiting a critical bug in the Drupal content management system that allows them to execute malicious code on website servers. Just hours after maintainers of the open-source program disclosed the vulnerability, it came under active attack, they said.

So far, the attackers are using proof-of-concept attack code published online that shows one method of exploiting the critical flaw, Drupal security team member Greg Knaddison told Ars. The code has not yet been automated in a way that can target large numbers of sites, in large part because successful exploits require permissions and configuration settings that differ from site to site. So far, Drupal maintainers aren't aware of any successful site take-overs resulting from the vulnerability.

"We have definitely seen proof of concept exploits published online," Knaddison wrote in an e-mail. "It's safe to assume that proof of concept (or others like it) are being used maliciously against individual sites by people who are willing to slowly attack a high value target. It's not yet automated in a way that would let an attacker try it against hundreds of sites."

Now that the vulnerability is actively being exploited maintainers have raised the severity rating to highly critical. Previously, the rating was critical. What follows is the post as it was published at 12:24 PM California time, prior to Drupal maintainers' update.

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties.

Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say that attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.

That severity rating is one notch lower than the so-called "Drupalgeddon2" bug maintainers patched late last month. Formally indexed as CVE-2018-7600, that bug also made it possible for attackers to remotely execute code of their choice on vulnerable servers, in that case simply by accessing a URL and injecting exploit code. That issue became public shortly after the patch was released. Since then, multiple attack groups have been actively exploiting the critical flaw to install cryptocurrency miners and malware that performs denial-of-service attacks on other servers.

Among those attacks, malicious hackers recently exploited Drupalgeddon2 to install ransomware on servers that run the website for the Ukrainian Ministry of Energy, Threatpost reported Tuesday. Security researcher Troy Mursch told Ars the report was credible and cited this Web archive of the site, which showed the Ukrainian government site was vulnerable as recently as April 19.

The severity of the Drupal bug patched Wednesday is lower because it's "more complex to exploit and requires more permissions on the site" than the Drupalgeddon2 exploits, a Drupal maintainer told Ars. Maintainers rate the risk of CVE-2018-7602 as 17 out of 25, compared with a 21 out of 25 for Drupalgeddon2 when it was first disclosed. Maintainers are currently unaware of any active exploits of the newly revealed CVE-2018-7602, but despite increased challenges, it wouldn't be surprising to see that situation change.

Websites that are running Drupal 7.x should immediately upgrade to Drupal 7.59. Those running 8.5.x should upgrade to 8.5.3. Normally, maintainers don't provide patches for 8.4.x, but they have made an exception in this case. Those websites should upgrade to 8.4.8 and then to 8.5.3 or the latest secure release.