Two months after the Drupal project released a patch for a highly critical security flaw, there are over 115,000 Drupal sites that have failed to install the fix and are now at the mercy of cyber-criminals.

This estimation comes from Troy Mursch, a US-based security researcher, who spent the last few days scanning the Internet for all sites running a version of the Drupal 7.x CMS.

Mursch was able to find over 500,000 of these sites, and he says that he was able to identify 115,070 websites running an outdated Drupal 7.x CMS version, vulnerable to CVE-2018-7600, also known as Drupalgeddon 2.

Drupalgeddon 2

CVE-2018-7600 is a security flaw that came to light in late March 2018 and was considered one of the most severe security flaws to affect the Drupal CMS since the original Drupalgeddon flaw discovered back in 2014.

The vulnerability allows attackers to take over a site just by accessing a malformed URL, no authentication required. Patches were made available for Drupal 6.x, 7.x, and 8.x versions.

Mursch's scan didn't look for 6.x and 8.x sites, but the 500,000 sites he managed to identify and scan are believed to be half of all the Drupal sites deployed online today.

Drupal cryptojacking campaigns have expanded

Hackers started exploiting the Drupalgeddon 2 vulnerability only two weeks after patches came out because most hackers didn't know how to attack the flaw. Exploitation attempts began soon after the publication of public proof-of-concept code.

Since then, the flaw has been used to infect servers with backdoors, coinminers, cryptojackers, and IoT botnet malware. Mursch himself previously discovered a large cryptojacking campaign using the Drupalgeddon 2 flaw to infect sites' frontend code with an in-browser miner.

In a report published today, Mursch says those cryptojacking campaigns didn't stop after his first report but actually expanded in scope.

The researcher published a Google Docs spreadsheet at the start of May to track the original campaign, but now, the spreadsheet includes data on several different campaigns and thousands more compromised Drupal sites.

With 115,000 of Drupal 7.x sites still without the Drupalgeddon 2 patch, these campaigns have loads of cannon fodder at their disposal.

UPDATE [June 7]: In a statement on its official website, Drupal disputed Mursch's report, claiming that c hecking for CHANGELOG.TXT was "not a valid way to determine whether a site is vulnerable to any given attack vector."