"Thousands of Drupal servers have an easily exploitable critical vulnerability that can lead to remote code execution," the organisation said in a tweet on its official account.
"Keep your website safe from malware (especially Webshells) and Patch Now!"
The Drupal project issued an advisory about the vulnerability on 18 November. "Drupal core does not properly sanitise certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations," the advisory said.
"If you are using Drupal 9.0, update to Drupal 9.0.8; if you are using Drupal 8.9, update to Drupal 8.9.9; if you are using Drupal 8.8 or earlier, update to Drupal 8.8.11; if you are using Drupal 7, update to Drupal 7.74."
And it added: "Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage."
Users were advised to audit all previously updated files to check for malicious extensions.
"Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension," the advisory said.
"Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm and phtml.
"This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis."