On March, 28th drupal announced a severe security issue in Drupal 7 and 8: https://www.drupal.org/sa-core-2018-002.

The issue allows unprivileged users to execute code on the server and disclose all data normally not accesible through the web. The security issue is rated severe and is told to be easily abused. It's probably a matter of a few hours to days that exploits are in the wild that systematically search for vulnerable instances.

All users are highly encouraged to update to Drupal 7.58 or 8.5.1.

ISPProtect includes a version check for many CMS including Drupal, so if you run a scan on your server you will be presented all Drupal instances on your server that are outdated and such vulnerable.

Severe remote execution security issue in Drupal announced