A remote code execution (RCE) vulnerability patched over a year and a half ago is still being actively employed in attacks against high-profile websites.

According to cybersecurity researchers from Akamai, the bug, which impacts the open source Drupal content management system (CMS) used to manage websites, is being exploited through malicious .GIF files.

Drupalgeddon2 is tracked as CVE-2018-7600 and is a vulnerability first discovered in March 2018. Issued a CVSS v3.0 base score of 9.8 and CVSS v2.0 base score of 7.5, the security flaw can be triggered remotely on default and common Drupal installations, potentially leading to RCE, data theft, and website hijacking.