Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to a zero-day vulnerability in Drupal that allowed hackers to get into the law firm's system and stole over 11.5 Million files (around 2.6 Terabytes of data).
The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC.
According to an advisory, the critical arbitrary remote PHP code execution vulnerability (PSA-2016-001) affects up to 10000 Drupal websites. However, “Drupal core is not affected. Not all sites will be affected.”
Although technical details about the critical flaws have not released yet due to security reasons, the team has warned its users to apply upcoming patches without giving opportunities to hackers who are desperately waiting for the bug details to develop exploits within hours or days.
If you own a Drupal website, you are advised carefully to review the list of affected contributed modules and apply the security patches as soon as possible.