CISA Adds Drupal SQL Injection Vulnerability to KEV Catalog Following Mass Exploitation

CISA added the CVE-2026-9082 SQL injection vulnerability in Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026. The federal agency has set a May 27, 2026, deadline for Federal Civilian Executive Branch (FCEB) agencies to apply necessary patches, confirming that the flaw is already being actively exploited in the wild.

Data from Imperva indicates more than 15,000 attack attempts against nearly 6,000 individual sites across 65 countries within just 48 hours of the patch release on May 20. An update to the Drupal security advisory on May 22 confirmed that exploitation attempts have been detected globally, though Drupal 7 remains explicitly unaffected by the vulnerability.

Rapid Shift from Patch Release to Global Mass Scanning

Patches for CVE-2026-9082 were released on May 20, 2026, covering all supported Drupal Core branches. Within two days, exploitation activity had already crossed the threshold for mass detection. Imperva documented over 15,000 attack attempts against nearly 6,000 individual sites distributed across 65 countries. A significant concentration was noted in the gaming and financial services sectors, which collectively accounted for nearly 50% of the total attack volume.

The speed of the transition from patch availability to active mass exploitation is the defining element of this incident. The Drupal Security Team had warned on May 19 that exploits could be developed within hours or days. This prediction proved conservative; the actual time to exploitation was measured in hours, and the campaign achieved global scale before many organizations could even schedule maintenance windows for updates.

Technical Mechanics: SQL Injection and Potential Escalation

According to CISA, "Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API." While the assigned CVSS score is 6.5, its operational criticality exceeds the purely numerical metric. Drupal remains one of the most widely used CMS platforms in enterprise and government web ecosystems, and the database abstraction API is a core component inherently exposed to external requests.

The activity observed by Imperva reveals a precise pattern. Attackers are actively probing to identify sites utilizing PostgreSQL backends. This suggests that the threat actor community has already mapped the conditions for a reliable exploitation chain, focusing efforts on specific target configurations rather than acting indiscriminately.

"Attacks are primarily targeting gaming and financial services sites so far, at collectively almost 50% of all attacks" — Imperva, as reported by The Hacker News

Global Campaign Scope and Sector Targeting

Targeting nearly 6,000 sites across 65 countries indicates a global mass-scanning campaign rather than a localized effort. While specific regional breakdowns were not detailed, the scale suggests the use of infrastructure capable of probing widely distributed networks. The focus on PostgreSQL-backed sites is particularly relevant: while Drupal supports multiple database configurations, the selection of this specific backend indicates that attackers are concentrating resources where they have confirmed exploitation success.

The gaming and financial services sectors have emerged as primary targets. Both verticals combine high traffic, large attack surfaces, and highly monetizable user data, making them attractive for operations aiming at data exfiltration, defacement, or pivoting into payment infrastructures. Current reports do not quantify how many sites suffered successful compromise versus mere probing; the distinction between scanning and successful exploitation remains a limitation in the currently available data.

Recommended Mitigation and Response

For administrations and organizations managing Drupal instances, the following immediate actions are required:

• Verify versions and apply patches by May 27, 2026 for FCEB agencies operating under KEV compliance. For the private sector, there is no remaining grace period following the patch release.
• Prioritize monitoring and isolation of PostgreSQL-backed systems, as threat intelligence indicates this configuration is the primary target of the active campaign.
• Review web server and database logs for the period of May 20–26, 2026, to identify suspicious injection attempts or scanning patterns directed at the database abstraction API. Attacks were observed starting within 48 hours of the patch release.
• Confirm that Drupal 7 instances are truly unaffected, as stated by the Drupal Security Team, to avoid unnecessary patching while ensuring an accurate asset inventory.

Analysis: Rapid Exploitation Reshapes Risk Calculations

The CVE-2026-9082 incident highlights a structural shift in the threat landscape: the interval between patch release and mass exploitation has contracted to a point where organizations with weekly or monthly update cycles are operating under a state of confirmed vulnerability. A 48-hour window is no longer an outlier for CMS-class vulnerabilities; it is becoming the standard for threat actors with rapid-reaction capabilities and access to distributed resources.

Imperva’s data—over 15,000 attacks in two days—measures the scale of the threat, but the qualitative data is equally significant. The selective targeting of PostgreSQL backends indicates operational maturity rather than random opportunism. Attackers are investing in preliminary technical scouting, raising the stakes for organizations that lack real-time visibility into their attack surface.

CISA’s decision to add this to the KEV with a May 27 deadline reflects a risk assessment that views the exploitation as structured and established, not merely emerging. For many organizations, the gap between official recommendations and operational reality is measured in the few hours between a patch release and the start of a technical shift. This brief window underscores the critical need for automated or expedited remediation for exposed systems.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
• https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html