On March, 28th drupal announced a severe security issue in Drupal 7 and 8: https://www.drupal.org/sa-core-2018-002.

The issue allows unprivileged users to execute code on the server and disclose all data normally not accesible through the web. The security issue is rated severe and is told to be easily abused. It’s probably a matter of a few hours to days that exploits are in the wild that systematically search for vulnerable instances.

All users are highly encouraged to update to Drupal 7.58 or 8.5.1.

ISPProtect includes a version check for many CMS including Drupal, so if you run a scan on your server you will be presented all Drupal instances on your server that are outdated and such vulnerable.

Severe remote execution security issue in Drupal announced

Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.