Drupal announced its third critical website bug found in the last month and has issued an unscheduled security update to patch a code-execution bug that is being actively exploited in the wild.
The most recent update affects multiple subsystems of Drupal 7.x and 8.x. and addresses a Highly critical remote code execution that allows attackers to exploit multiple attack vectors on a Drupal, potentially leading to a compromise, according to an 25 April security advisory.
Users running versions 7.x should upgrade to Drupal 7.59, users running versions 8.5.x should upgrade to Drupal 8.5.3 and users running versions 8.4.x should upgrade to Drupal 8.4.8.
Users who are unable to update their sites immediately or who are running Drupal distribution that doesn't include the most recent security release can attempt to apply Patches for 8.5.x and below or for Drupal 7.x however, researchers warn the patches will only work if your site already has the fix from SA-CORE-2018-002 applied.
Just a few days prior to the release, an IoT botnet was spotted actively exploiting the Highly critical CVE-2018-7600 vulnerability, AKA Drupalgeddon 2 bug which was patched in late March.