As expected, the content management system Drupal patched a highly critical vulnerability in Drupal 7 and 8 Core on Wednesday, and warned users not to delay applying the fix.

The update fixes a particularly nasty remote code execution vulnerability in multiple Drupal 7.x and 8.x subsystems that could bring an entire site down.

According to the company Jasper Mattsson, a Finnish Drupal developer, discovered the bug as part of his general research into the CMS’ security.

Drupal didn't get into the details around the vulnerability (CVE-2018-7600) but said it could allow an attacker to exploit multiple attack vectors on a Drupal site. In a FAQ about the vulnerability Drupal said the vulnerability could affect over one million sites, or roughly nine percent of sites on the internet.

While it's unclear whether exploit code exists for the vulnerability Drupal warns that exploitation could result in all data either being modified or deleted.

Site owners are being encouraged to apply the updates as soon as possible, if they haven’t already, to avoid exploitation. Drupal’s infrastructure team warned users Wednesday afternoon - just an hour after it had pushed the patches - that attackers were already using news of the update to target some members of the Drupal community with malicious email sign ups and phishing attacks.

Members of the Drupal community are being targeted with malicious email sign ups, phishing attacks, etc, coordinated with today's release. Pls be careful and take precautions. If you receive a threatening message, please contact the DA and/or your local authorities.

— Drupal infra (@drupal_infra) March 28, 2018

The easiest solution for site owners is to update to Drupal 7 or 8 Core; Drupal 7.58 and Drupal 8.5.1 are the newest, patched versions. If users can't find the bandwidth to update immediately they're being encouraged to apply a patch, something that should, at least in the short term, mitigate the issue.