A remote code execution (RCE) vulnerability was recently discovered in Drupal's core code. Drupal was alerted to the vulnerability and started taking action on February 20th. Users potentially affected by the vulnerability include those with 8.6.x and 8.5.x installations. Drupal 7 installations that use the same REST module may also be vulnerable.
Remote attackers were able to execute code on exposed servers through the API of the CMS. Common results of such attacks include commands to download and install malware or similar software. In turn, the remote user can control the host and promote additional attacks or retrieve data.
By February 25, Drupal reported mass exploits in the wild. Drupal issued patches for 8.6.x and 8.5.x and suggested upgrades to the latest version is the best mitigation strategy. Additionally, Drupal encourages those who may be affected to read through "Your Drupal site got hacked, now what." Stay tuned to Drupal's Security Advisories for more updates.