CVE-2018-7602

CRITICAL KEV RANSOMWARE NUCLEI LAB

Drupal 7.x < 7.59 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-7602 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 11 public exploits from researchers including SixP4ck3r, Blaklis, 1337g. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-7602 (Drupalgeddon3), a remote code execution vulnerability in Drupal 7.x and 8.x. It leverages a chain of HTTP requests to inject and execute arbitrary PHP code via a malicious payload encoded in base64.

Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Exploits (11)

exploitdb WORKING POC VERIFIED
by SixP4ck3r · rubywebappsphp
https://www.exploit-db.com/exploits/44557

This Metasploit module exploits CVE-2018-7602 (Drupalgeddon3), a remote code execution vulnerability in Drupal 7.x and 8.x. It leverages a chain of HTTP requests to inject and execute arbitrary PHP code via a malicious payload encoded in base64.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x and 8.x
Auth required
Prerequisites: Authenticated Drupal session · Valid Drupal node ID · Access to the target URI
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Blaklis · textwebappsphp
https://www.exploit-db.com/exploits/44542

This exploit leverages a Drupal 7 vulnerability (CVE-2018-7602) by manipulating form inputs to achieve remote command execution via the 'passthru' function. It requires authentication and a valid CSRF token to trigger the payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
Auth required
Prerequisites: Authenticated session · Permission to delete nodes · Valid CSRF token
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 1337g · remote
https://github.com/1337g/Drupalgedon3

This is a functional PoC for CVE-2018-7602, exploiting a remote code execution vulnerability in Drupal via a crafted POST request to inject and execute arbitrary commands. The exploit leverages Drupal's form API and AJAX endpoints to bypass input sanitization.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal < 7.58, < 8.3.9, < 8.4.6, < 8.5.1
No auth needed
Prerequisites: Target Drupal instance with vulnerable version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2018-7602

This Perl script exploits CVE-2018-7602 (Drupalgeddon2), a remote code execution vulnerability in Drupal 7 and 8. It sends crafted HTTP requests to trigger arbitrary command execution via PHP functions like 'passthru'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x and 8.x
No auth needed
Prerequisites: target URL list file
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cyberharsh · remote-auth
https://github.com/cyberharsh/DrupalCVE-2018-7602

This repository contains a Python-based exploit for CVE-2018-7602, a remote code execution vulnerability in Drupal 7 <= 7.58. The exploit leverages a double-encoded URL to bypass sanitization and execute arbitrary commands via the 'destination' parameter in the user account cancellation form.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7 <= 7.58
Auth required
Prerequisites: Valid Drupal user credentials · Access to the Drupal login page · Drupal 7 <= 7.58 installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by kastellanos · poc
https://github.com/kastellanos/CVE-2018-7602

This repository contains a functional Metasploit module for CVE-2018-7602, a remote code execution vulnerability in Drupal 7.x and 8.x. The exploit leverages authenticated session cookies to execute arbitrary commands via a crafted POST request to a node deletion endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x and 8.x (specifically tested on 7.57)
Auth required
Prerequisites: Authenticated Drupal session cookie · Existing node ID · Docker environment for testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 132231g · poc
https://github.com/132231g/CVE-2018-7602

This YAML-based PoC exploits CVE-2018-7602 (Drupalgeddon2) by chaining authentication, form token extraction, and command injection via malicious URL parameters to achieve remote code execution (RCE). It verifies success by checking for a random echo string in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal (versions < 7.58, 8.x < 8.5.1, 8.4.x < 8.4.6)
Auth required
Prerequisites: Valid Drupal admin credentials · Access to the Drupal login page · Drupal installation vulnerable to CVE-2018-7602
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2018-7602

This Perl script exploits CVE-2018-7602 (Drupalgeddon2), a remote code execution vulnerability in Drupal 7 and 8. It sends crafted HTTP requests to trigger arbitrary command execution via PHP functions like 'passthru'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x and 8.x
No auth needed
Prerequisites: Target URL list file · Perl environment with required modules
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by happynote3966 · remote
https://github.com/happynote3966/CVE-2018-7602

This repository contains a functional exploit for CVE-2018-7602 (Drupalgeddon3), a remote code execution vulnerability in Drupal. The exploit leverages a deserialization flaw in Drupal's form API to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x and 8.x
Auth required
Prerequisites: Valid session cookie · Existing node ID on the target Drupal site
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/1AmG0d/myDrupal

The repository contains a Python script that scans Drupal installations to detect versions vulnerable to CVE-2018-7600 and CVE-2018-7602. It checks version numbers by fetching CHANGELOG.txt or other files and compares them against known vulnerable versions.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Drupal 6.x, 7.x, 8.x
No auth needed
Prerequisites: Access to the target Drupal site
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/pimps/CVE-2018-7600

The repository contains functional exploit code for CVE-2018-7600 and CVE-2018-7602, targeting Drupal 7. The exploits leverage form poisoning and cache manipulation to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7 <= 7.57 (CVE-2018-7600) and Drupal 7 <= 7.58 (CVE-2018-7602)
No auth needed
Prerequisites: Access to the target Drupal site · Python environment with requests and bs4 libraries
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Drupal - Remote Code Execution
CRITICALby princechaddha
Shodan: http.component:"drupal" || cpe:"cpe:2.3:a:drupal:drupal"

References (8)

Core 8
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44557/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040754
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44542/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4180
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2018-004
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103985

Scores

CVSS v3 9.8
EPSS 0.9907
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull kastellanos/metasploit-framework:1.0
docker pull drupal:7.57
docker pull vaday/drupal:new
+6 more repos

Details

CISA KEV 2022-04-13
VulnCheck KEV 2018-07-19
InTheWild.io 2021-04-20
ENISA EUVD EUVD-2024-1058
Ransomware Use Confirmed
CWE
CWE-94
Status published
Products (6)
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
drupal/core 7.0 - 7.59Packagist
drupal/drupal 7.0 - 7.59
drupal/drupal 7.0 - 7.59Packagist
Published Jul 19, 2018
KEV Added Apr 13, 2022
Tracked Since Feb 18, 2026