A vulnerability that’s been patched is still a vulnerability if patches haven’t been applied. The vulnerability in CMS platform Drupal was discovered and patched in 2018. The attacks, so far, do not seem to target any particular industry or market segment, instead probing a range of high-profile websites. If executed, the code uses IRC channels to contact a command and control server and then execute any of a variety of RAT, credential skimming, or DDoS payloads. These systems are often forgotten or neglected but connected to critical systems that can be attacked at the criminal’s leisure.”]
Source: https://www.darkreading.com/attacks-breaches/drupalgeddon2-vulnerability-still-endangering-cmses