This is to inform you that the Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.
This means that Drupal site owners like yourself should immediately update your sites to Drupal 7.58 or Drupal 8.5.1, depending on the version you’re running.
The Drupal team pre-announced the recent patches last week when it said “exploits might be developed within hours or days” after the disclosure.
Drupal affected by unauthenticated RCE flaw
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS’ core component, effectively taking over the site.
The attacker doesn’t need to be registered or authenticated on the targeted site, and all the attacker needs to do is access the URL. Here are some relevant FAQs regarding the vulnerability.