Threat Analysis: Drupal SQL Injection Under Active Exploitation, Ubiquiti Max-Severity Flaws, and The Gentlemen Ransomware's UK Reach

Threats & Attacks

Threat Analysis: Drupal SQL Injection Under Active Exploitation, Ubiquiti Max-Severity Flaws, and The Gentlemen Ransomware's UK Reach

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 22nd May 2026.

Three stories today. Each one is actionable. I will start with the one that has the shortest fuse.

Drupal SQL Injection: Disclosure to Active Exploitation in Under 48 Hours

Drupal published a security advisory earlier this week for a highly critical SQL injection vulnerability. By today, 22nd May, active exploitation attempts were already confirmed.

That is the part the advisory does not emphasise enough. The window between disclosure and weaponisation has been narrowing for years. For widely-deployed CMS platforms like Drupal, that window is now measured in hours, not weeks.

The vulnerability allows unauthenticated attackers to inject SQL through the database layer. Successful exploitation can lead to full database access, customer records, credentials, order data, whatever your site holds. On Drupal sites running PostgreSQL backends, the attack surface is particularly well-understood by tooling that is already in the wild.

Why does this matter to UK SMBs specifically? Because a significant proportion of UK business websites, particularly in professional services, legal, and public-sector-adjacent organisations, run Drupal. Many of those sites are managed by third-party web agencies under contracts that define maintenance windows quarterly. Those contracts were not written with a 48-hour exploitation timeline in mind.

The same pattern played out with Ghost CMS this week. CVE-2026-26980, a critical SQL injection flaw in Ghost, was exploited to compromise over 700 domains, universities, media outlets, AI companies, and repurpose them to serve ClickFix attack pages. ClickFix is a social engineering technique that tricks visitors into executing malicious PowerShell commands under the guise of fixing a browser error. If your site is compromised via SQL injection, your visitors become the next set of victims.

What to do:

  • If you run a Drupal site, confirm with your hosting provider or web agency that the latest security release has been applied. Today. Not at the next scheduled window.
  • If you run Ghost CMS, check your version against the CVE-2026-26980 advisory immediately.
  • If you do not know what CMS your website runs, find out. That is a reasonable thing to know about infrastructure you are responsible for.
  • Ask your web agency or MSP what their procedure is when a critical vulnerability is disclosed in a platform they manage for you. If the answer is β€œwe apply patches in the next maintenance window,” that is a conversation worth having now rather than after an incident.

Ubiquiti UniFi OS: Three Maximum-Severity Vulnerabilities, No Authentication Required

Ubiquiti has released patches for three maximum-severity vulnerabilities in UniFi OS. CVSS 10.0 across the board. No authentication required for remote exploitation.

UniFi kit, routers, access points, network management controllers, is standard issue in thousands of UK SMB offices. It is popular precisely because it offers enterprise-grade network management at SMB-friendly prices. That ubiquity is now the problem.

The advisory does not specify whether these vulnerabilities are currently being exploited in the wild. What it does say is that a remote attacker with no credentials can exploit them. Given the volume of UniFi infrastructure connected to the internet, particularly UniFi Network Application instances with management interfaces exposed, the attack surface is substantial.

Network devices are a particularly attractive initial access vector. Compromise a router or network controller and you have a persistent foothold from which to pivot to everything else on that network. This is not theoretical. It is the pattern seen in multiple UK SMB incidents over the past two years.

If your IT provider tells you this does not affect you because you are too small, ask them how many of the 5,000 businesses affected by the JLR supply chain breach thought they were too small.

What to do:

  • If you or your MSP use Ubiquiti UniFi equipment, check the firmware version against Ubiquiti’s security advisory and apply the update.
  • Confirm that your UniFi Network Application management interface is not exposed to the public internet. If it is, that exposure needs to close regardless of the patch status.
  • Ask your IT provider or MSP to confirm in writing that UniFi infrastructure under their management has been updated. This week.

The Gentlemen Ransomware: 400 Victims, Legitimate-Looking Tactics, and Why Your Logs Will Not Help You

The Huntress research team published detailed analysis this week of The Gentlemen ransomware-as-a-service operation. The numbers are significant: over 400 claimed victims across 70 countries since mid-2025. This is not a new group making headlines for the first time. It has been operating quietly for almost a year.

What makes this analysis worth reading is the TTPs, which are deliberately designed to look like normal administrative activity right up until the moment they are not.

The operation deploys via Scheduled Tasks, a legitimate Windows feature used by every IT team. It uses PowerShell commands, also entirely standard. The initial stages are almost indistinguishable from routine system administration. This is intentional. The goal is to avoid triggering endpoint detection long enough to get properly established.

The defence evasion techniques then kick in: Security, System, and Application event logs are cleared. Microsoft Defender is disabled. Group Policy is modified to maintain that disabled state. By the time encryption begins, the forensic trail has been deliberately obscured. The CVE-2024-55591 Fortinet flaw features as an initial access vector in related incidents, a vulnerability that was disclosed in January 2025 and for which patches have been available since then.

The advisory attributes specific incidents. What it does not say explicitly, but what the pattern implies, is that this group is not cherry-picking large enterprise targets. Four hundred victims across 70 countries, operating for less than a year, using widely available ransomware-as-a-service tooling, means the targeting is opportunistic. They are hitting whoever has unpatched perimeter devices, weak endpoint protection, or permissive PowerShell policies.

For UK SMBs, the practical implication is this: if you have outstanding Fortinet patches, apply them. If your PowerShell execution policy is unrestricted, change it. If your event logging is not being aggregated somewhere that survives a local machine compromise, fix that before you need it.

What to do:

  • Check for any outstanding Fortinet patches, particularly those addressing CVE-2024-55591.
  • Review your PowerShell execution policy. Constrained Language Mode or a signed-scripts-only policy significantly raises the cost of this type of attack.
  • Ensure Windows event logs are forwarded to a centralised logging system that is not on the same machine being attacked. Local logs that can be cleared by the attacker are not a useful forensic record.
  • If you do not have endpoint detection and response (EDR) coverage, the pattern of Scheduled Task creation followed by PowerShell execution and log clearing is exactly the kind of behavioural sequence that EDR catches and antivirus does not.

One Worth Noting in Passing

Trend Micro patched a zero-day in Apex One today, an actively exploited privilege escalation vulnerability in their own endpoint security product. The irony of your security software being the attack vector is not lost on anyone who has worked in this industry for any length of time. If you run Apex One, the patch is out. Apply it.

Separately, a coordinated law enforcement operation between France and the Netherlands took down FirstVPN this week, a service widely used by ransomware operators and fraudsters to conceal their infrastructure. Thirty-three servers seized, three domains taken down, the administrator’s home searched in Ukraine. These operations matter because they raise the operational cost for criminal groups, even if they do not eliminate the threat. Worth noting as context for the broader ecosystem.

Summary: What Needs to Happen Before the Weekend

Three items, each with a clear action:

  1. Drupal / Ghost CMS, confirm your CMS platform is patched. Today. If managed by a third party, get written confirmation.
  2. Ubiquiti UniFi, firmware update. Confirm management interfaces are not internet-exposed.
  3. The Gentlemen ransomware, Fortinet patches, PowerShell policy review, centralised logging.

None of these require a large budget. All of them require someone to actually do them.

Sources

SourceTitleURL
BleepingComputerDrupal: Critical SQL injection flaw now targeted in attackshttps://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/
BleepingComputerUbiquiti patches three max severity UniFi OS vulnerabilitieshttps://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/
HuntressThe Gentleman Ransomware: Defense Evasion TTPs Uncoveredhttps://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
BleepingComputerTrend Micro warns of Apex One zero-day exploited in the wildhttps://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/
xLab / QianxinGhost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attackshttps://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
Infosecurity MagazineCybercriminal VPN Dismantled in Crackdownhttps://www.infosecurity-magazine.com/news/first-vpn-takedown-europol/

Filed under

  • smb-security
  • uk-business
  • ransomware-groups
  • vendor-risk
  • supply-chain-risk
  • incident-response
  • network-security