The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1.
The vulnerability allows an attacker, leveraging multiple attack vectors, to take complete control of a website. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release.
So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System.
BleepingComputer's Catalin Cimpanu said: "In the nine years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."