A bug in a database abstraction API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. This can lead to privilege escalation, arbitrary PHP execution, or other attacks as well. Vulnerability in question fits into a larger trend of security challenges facing CMS systems. Such systems are juicy targets for cyber criminals because they can create a more efficient way for hackers to launch automated, large-scale attacks. The best defense in this arms race is about protecting your properties in various ways that complement each other.”]
Source: https://www.darkreading.com/attacks-breaches/drupal-attacks-started-within-hours-of-patch-release