Good news and bad news.

Two months after a "highly critical" security flaw was found in Drupal, a widely used web-based content management system, most of the million-plus sites thought to be affected have patched their servers.

But thousands of servers remain unpatched and vulnerable to the flaw, according to a new analysis.

In case you missed it, the bug, dubbed Drupalgeddon 2, affected all sites running on Drupal 6 and later. The open source project warned that attackers can exploit the bug, allowing anyone access to, as well the ability to modify or delete private data.

Although at the time there weren't any reported attacks, they soon followed, largely in the form of cryptocurrency mining attacks, where hackers would install mining code on vulnerable sites. Just this week, security researcher Scott Helme tweeted that he found mining code running on NHS England's website, which runs the Drupal platform.

Troy Mursch, who runs the Bad Packets Report, tweeted Tuesday that the number of vulnerable Drupal sites remains high -- and could be even higher.

According to his analysis, 115,070 servers are still vulnerable, while 225,056 sites may be vulnerable but he could not ascertain the version used.

Mursch said in a tweet that at least 1,885 vulnerable sites are in the Alexa top one million sites.

In his analysis, he discovered a new cryptojacking campaign targeting Drupal sites. "One of the affected sites was a police department's website in Belgium," he wrote. Cloudflare, which provided protections for the cryptomining code, later dropped its service.

If you haven't patched your Drupal install already, now is a good time.