Executive Summary
A critical vulnerability identified as CVE-2024-55638 has emerged within Drupal Core, particularly affecting installations that utilize PostgreSQL as their backend database. This vulnerability introduces a complex attack vector known as PHP Object Injection, which can escalate to full Remote Code Execution (RCE) when combined with another deserialization flaw. While the vulnerability cannot be exploited on its own, it significantly heightens the risk for any Drupal installation that employs third-party modules or custom code that improperly utilizes the unserialize() function. Organizations with intricate or heavily customized Drupal setups face an increased threat, as attackers are actively searching for such vulnerabilities in widely used content management systems. Immediate action is essential to mitigate this risk, given its high criticality and the likelihood of exploitation in the near future.
Technical Information
The vulnerability, designated as CVE-2024-55638, falls under the categories of Deserialization of Untrusted Data (CWE-502) and Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915). It affects Drupal Core versions 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9. The patched versions are 7.102, 10.2.11, and 10.3.9, respectively.
The core issue resides in a “gadget chain” within Drupal Core that can be exploited if an insecure deserialization vulnerability exists elsewhere in the application stack. While this gadget chain does not permit direct exploitation, an attacker can leverage it to achieve arbitrary code execution if they can supply malicious input to PHP’s unserialize() function—often exposed through vulnerable third-party modules or custom code. The attack vector is network-based, requiring the combination of this vulnerability with another that allows user-supplied data to reach unserialize().
The complexity of the attack is high, necessitating both a vulnerable deserialization point and the presence of the gadget chain. Additionally, elevated privileges are typically required, often demanding administrative access or the ability to execute code within the application context. Notably, no user interaction is necessary for exploitation once the preconditions are satisfied.
This vulnerability is particularly pertinent for Drupal sites utilizing PostgreSQL as their backend, as the gadget chain is specific to this configuration. While sites using alternative database backends may not be directly impacted, they should still scrutinize their code for unsafe deserialization practices. The risk is exacerbated by the widespread reliance on third-party modules in the Drupal ecosystem, many of which may not follow secure coding practices regarding serialization and deserialization. Attackers are known to actively scan for such vulnerabilities in popular CMS platforms, making timely patching and code review imperative.
Exploitation in the Wild
Currently, there are no confirmed reports of this specific gadget chain being exploited in the wild against Drupal Core alone, based on the latest advisories and open-source intelligence. However, the risk factors remain significant due to the prevalence of insecure deserialization bugs in third-party modules and custom code. The EPSS (Exploit Prediction Scoring System) score for this vulnerability stands at 9.93% (93rd percentile), indicating a high likelihood of exploitation within the next 30 days.
Attackers are actively searching for deserialization vulnerabilities in popular CMS platforms, and the presence of this gadget chain in Drupal Core enhances the appeal of Drupal sites as targets. The attack surface is particularly broad for organizations that depend on custom modules or have not rigorously audited their codebase for unsafe unserialize() usage. Indicators of compromise may include unusual or unauthorized PHP object structures in database fields or logs, unexpected calls to unserialize() in custom or third-party modules, suspicious administrative activity, and the presence of webshells or unexpected files in Drupal directories.
APT Groups using this vulnerability
At present, there is no public attribution of exploitation of CVE-2024-55638 by any known Advanced Persistent Threat (APT) groups. No sector or country-specific targeting has been reported in connection with this vulnerability. However, the nature of the flaw and its potential for RCE make it a likely candidate for adoption by sophisticated threat actors should a reliable exploit chain become available. The absence of current attribution should not be misconstrued as a lack of risk; rather, it highlights the necessity for proactive mitigation before exploitation becomes widespread.
Affected Product Versions
The affected products include Drupal Core versions 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9. This vulnerability is particularly relevant for sites using PostgreSQL as the backend database. Any Drupal installation operating these versions alongside PostgreSQL is at risk, especially if third-party modules or custom code are present that may introduce unsafe unserialize() usage. Organizations are urged to prioritize upgrading to the patched versions: Drupal Core 7.102, 10.2.11, and 10.3.9.
Workaround and Mitigation
The primary mitigation strategy involves upgrading Drupal Core to the latest patched versions: 7.102, 10.2.11, or 10.3.9, depending on your deployment. This action will neutralize the gadget chain within the core codebase.
In addition to upgrading, organizations should conduct a thorough audit of all custom and third-party code for unsafe usage of PHP’s unserialize() function. Any instance where user-supplied data is passed to unserialize() should be treated as a critical vulnerability and addressed immediately. Developers are encouraged to utilize safer alternatives, such as json_decode(), for data serialization and deserialization whenever feasible.
Monitoring and alerting mechanisms should be established for suspicious activity, including unexpected object structures in database fields, unauthorized calls to unserialize(), and anomalous administrative actions. If utilizing non-standard database drivers, it is advisable to review their documentation for any additional configuration requirements related to serialization and deserialization.
Lastly, organizations should remain vigilant for updates from the Drupal security team and the maintainers of any third-party modules in use, as further advisories or patches may be issued in response to evolving threat intelligence.
References
- NVD Entry for CVE-2024-55638
- Drupal Security Advisory SA-CORE-2024-008
- GitHub Advisory Database
- Red Hat Customer Portal
- BitSight CVE-2024-55638
Rescana is here for you
Rescana is dedicated to assisting organizations in managing and mitigating third-party and supply chain cyber risks. Our TPRM platform offers continuous monitoring, automated risk assessment, and actionable insights to help you stay ahead of emerging threats in your digital ecosystem. For inquiries regarding this advisory or for assistance with incident response, risk assessment, or best practices for securing your Drupal environment, please reach out to us at ops@rescana.com. Our team of experts is prepared to support your cybersecurity needs.