The update mechanism of the popular Drupal content management system is insecure in several ways. It’s not encrypted and can potentially be hijacked by man-in-the-middle attackers. The CMS will not inform administrators that an update check has failed, for example due to inability to access the update server. The process for module updates is also unprotected and can be similarly hijacked. These issues are not yet fixed, so Drupal administrators might want to manually download all updates for Drupal and its modules themselves for the moment.”]
Source: https://www.csoonline.com/article/3020069/drupal-sites-at-risk-due-to-insecure-update-mechanism.html