About 115,000 Drupal Sites are still vulnerable to Drupalgeddon 2 that allows hackers to take over sites according to security researcher Troy Mursch. Drupal issued a patch for this vulnerability 2 months ago. Ashley Stephenson, CEO at Corero Network Security commented below.
Ashley Stephenson, CEO at Corero Network Security:
“With hundreds of alerts and patches to contend with, IT teams are overwhelmed. Evaluating the most serious patches to employ first and understanding the impact of those patches on the rest of the network is a superhuman task. While Drupal is a serious vulnerability, there are also hundreds of other vulnerabilities vying for attention. So it is not surprising that companies have not patched this vulnerability right away between patch fatigue and the hype surrounding dangerous vulnerabilities companies become inured to the required immediacy of patching this type of vulnerability. The bad guys rely on negligence or ignorance for a continued supply of vulnerable systems for years after a fix or patch is available. Greater penetration of auto-update schemes from responsible vendors are helping to address this issue, but many systems do not or cannot allow for unattended updates without suitable testing cycles or manual intervention.”