Think you have a false positive on this rule?

Sid 1-46316


SERVER-WEBAPP Drupal 8 remote code execution attempt


This event is generated when an attempt to exploit CVE-2018-7600 is detected.


Attempted Administrator Privilege Gain


CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

Detailed information

CVE-2018-7600 is an issue with Drupal < 7.58 and < 8.51 where improper validation and sanitizing of internal Drupal attributes can lead to remote code execution on an affected system. CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Affected systems

Ease of attack

Simple, public PoC's are available.

False positives

False negatives

Corrective action

Patch your Drupal instance to the newest version.


  • Cisco's Talos Intelligence Group

Additional References