Many of the UK's biggest firms are running outdated versions of their Drupal and Wordpress Content Management Systems (CMSes).
Threat management company RiskIQ conducted research across the top 30 organisations in the UK (FTSE-30), looking specifically at Wordpress and Drupal instances visible on the open web.
At least three in 10 of the content management system installs were vulnerable on one way or another, according to RiskIQ:
Across the publicly accessible web sites of the FTSE-30 we found 1069 web sites hosting either Wordpress or Drupal and were able to identify the CMS versions in 773 of them. The other 296 have disabled public access to their CHANGELOG.txt so their version was unknown.
Of the 773 sites with known versions, 307 have known vulnerabilities referenced in one or more CVEs. That represents 40 per cent of the total number of sites where the version is known and 29% of the overall total. The real percentage of vulnerable CMS instances lies somewhere in between.
CMSes play an important role in everything from providing potential customers with product information to ongoing communications and support. Despite the widespread use of the technology CMSes are frequently not given the attention they deserve, hence the widespread occurrence of problems even in the UK’s largest and presumably best-resourced enterprises.
“In many cases they are not tier 1 applications set up and supported by central IT and this can all too often result in a set up and forget approach,” according to RiskIQ.
RiskIQ was prompted to carry out the study by the Panama Papers controversy. Evidence of tax avoidance and personal info about the rich and powerful was exposed by a leak of Panamanian lawyers Mossack Fonseca. Many in the infused community, at least, suspect a hack against Mossack Fonseca’s CMS played a key role in the breach.
“Numerous security researchers commented on the poor security state of Mossack Fonseca’s IT systems which could have offered the attacker numerous ways into the organisation’s network, including outdated versions of their Drupal and Wordpress CMSes,” RiskIQ explains.
“CMS vulnerabilities are a common theme in many of the successful attacks we read about. With the ubiquitous nature of Content Management Systems driving the web experience, there are potential risks for all organisations.” ®