Executive Summary
A highly critical vulnerability, CVE-2024-55638, has been discovered in Drupal Core, specifically impacting sites that utilize PostgreSQL as their backend database. This flaw enables a sophisticated attack vector known as PHP Object Injection, which, when chained with a separate deserialization vulnerability, can escalate to full Remote Code Execution (RCE) on the affected system. While the vulnerability is not directly exploitable in isolation, its presence dramatically increases the risk profile for any Drupal installation that leverages third-party modules or custom code with unsafe unserialize() usage. The risk is particularly acute for organizations with complex or heavily customized Drupal deployments, as attackers are actively seeking such chained vulnerabilities in popular content management systems. Immediate action is required to mitigate the risk, as the vulnerability is rated highly critical and has a high likelihood of exploitation in the near future.
Technical Information
The vulnerability, tracked as CVE-2024-55638, is classified as a Deserialization of Untrusted Data (CWE-502) and Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915). It affects Drupal Core versions 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9. The patched versions are 7.102, 10.2.11, and 10.3.9, respectively.
The core issue lies in a "gadget chain" within Drupal Core that can be abused if an insecure deserialization vulnerability exists elsewhere in the application stack. This gadget chain does not, by itself, allow for direct exploitation; however, if an attacker can supply malicious input to PHP's unserialize() function—often exposed via vulnerable third-party modules or custom code—they can leverage the gadget chain to achieve arbitrary code execution. The attack vector is network-based, but exploitation requires chaining with another vulnerability, typically one that allows user-supplied data to reach unserialize().
The attack complexity is high, as it requires both a vulnerable deserialization point and the presence of the gadget chain. Privileges required are also high, often necessitating administrative access or the ability to execute code within the application context. No user interaction is required for exploitation once the preconditions are met.
The vulnerability is particularly relevant for Drupal sites using PostgreSQL as the backend, as the gadget chain is specific to this configuration. Sites using other database backends may not be directly affected by this flaw, but should still review their code for unsafe deserialization practices.
The risk is compounded by the widespread use of third-party modules in the Drupal ecosystem, many of which may not adhere to secure coding practices regarding serialization and deserialization. Attackers are known to scan for such vulnerabilities in popular CMS platforms, making timely patching and code review essential.
Exploitation in the Wild
As of the latest advisories and open-source intelligence, there are no confirmed reports of this specific gadget chain being exploited in the wild against Drupal Core alone. However, the risk factors are significant due to the prevalence of insecure deserialization bugs in third-party modules and custom code. The EPSS (Exploit Prediction Scoring System) score for this vulnerability is 9.93% (93rd percentile), indicating a high likelihood of exploitation within the next 30 days.
Attackers are actively scanning for deserialization vulnerabilities in popular CMS platforms, and the presence of this gadget chain in Drupal Core increases the attractiveness of Drupal sites as targets. The attack surface is particularly broad for organizations that rely on custom modules or have not rigorously audited their codebase for unsafe unserialize() usage.
Indicators of compromise include unusual or unauthorized PHP object structures in database fields or logs, unexpected calls to unserialize() in custom or third-party modules, suspicious admin-level activity or privilege escalation attempts, and the presence of webshells or unexpected files in Drupal directories.
APT Groups using this vulnerability
At this time, there is no public attribution of exploitation of CVE-2024-55638 by any known Advanced Persistent Threat (APT) groups. No sector or country-specific targeting has been reported in connection with this vulnerability. However, the nature of the flaw and its potential for RCE make it a likely candidate for adoption by sophisticated threat actors should a reliable exploit chain become available. The lack of current attribution should not be interpreted as a lack of risk; rather, it underscores the importance of proactive mitigation before exploitation becomes widespread.
Affected Product Versions
The affected products are Drupal Core versions 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9. The vulnerability is specific to sites using PostgreSQL as the backend database. Any Drupal installation running these versions in conjunction with PostgreSQL is at risk, especially if third-party modules or custom code are present that may introduce unsafe unserialize() usage.
Patched versions are Drupal Core 7.102, 10.2.11, and 10.3.9. Organizations should prioritize upgrading to these versions immediately to mitigate the risk.
Workaround and Mitigation
The primary mitigation strategy is to upgrade Drupal Core to the latest patched versions: 7.102, 10.2.11, or 10.3.9, depending on your deployment. This action will neutralize the gadget chain within the core codebase.
In addition to upgrading, organizations should conduct a comprehensive audit of all custom and third-party code for unsafe usage of PHP's unserialize() function. Any instance where user-supplied data is passed to unserialize() should be considered a critical vulnerability and remediated immediately. Developers should use safer alternatives such as json_decode() for data serialization and deserialization whenever possible.
Monitoring and alerting should be implemented for suspicious activity, including unexpected object structures in database fields, unauthorized calls to unserialize(), and anomalous administrative actions. If using non-standard database drivers, review their documentation for any additional configuration requirements related to serialization and deserialization.
Finally, organizations should stay informed of updates from the Drupal security team and the maintainers of any third-party modules in use, as further advisories or patches may be released in response to evolving threat intelligence.
References
NVD Entry for CVE-2024-55638, Drupal Security Advisory SA-CORE-2024-008, GitHub Advisory Database, Red Hat Customer Portal, BitSight CVE-2024-55638.
Rescana is here for you
Rescana is committed to helping organizations manage and mitigate third-party and supply chain cyber risks. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable insights to help you stay ahead of emerging threats in your digital ecosystem. If you have any questions about this advisory or require assistance with incident response, risk assessment, or best practices for securing your Drupal environment, please contact us at ops@rescana.com. Our team of experts is ready to support your cybersecurity needs.
