On March 28th 2018, Drupal released a security advisory describing a highly critical remote code execution vulnerability which affects multiple subsystems of Drupal core versions 8, 7, and 6. The advisory did not mention any specific details about the vulnerability, but did specify that exploitation is possible through multiple attack vectors and could result in the complete compromise of a Drupal site. As of yet, there are no known public exploits of this vulnerability, however an exploit will soon likely be developed.
Due to the severity of this vulnerability, the IT Security Office recommends that Drupal sites are updated as soon as reasonably possible to the 7.58 and 8.5.1 supported versions, or that the available patch is applied temporarily, until Drupal can be updated. For more information about the vulnerability, visit: https://www.drupal.org/SA-CORE-2018-002; for the FAQ, visit: https://groups.drupal.org/security/faq-2018-002.