Vulnerability Directory | CVE-2025-9551 | Drupal 7

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Protected Pages module allows the administrator to secure any page by password.

The module is missing flood/rate limiting on its page passwords. An attacker could brute‑force the page password because it isn’t being throttled or blocked.

Broken Access Control occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do, enabling attackers to access unauthorized functionality, data, or resources. It often stems from inadequate validation of user permissions, allowing someone to bypass intended security boundaries and perform actions beyond their assigned role.

In this case, a brute force attack can allow a malicious user to enter the system.

Any of the following ramifications are possible:

Allowing arbitrary code execution
Complete system compromise
Data theft or exposure
Data manipulation or destruction
Privilege escalation, and
Denial of service.

This issue affects the Protected Pages module version 7.2.4 and lower.

‍

Details

Module Info

Product: Drupal
Affected code: Protected Pages module
Affected versions: <=7.2.4
Project page: https://www.drupal.org/project/protected_pages
Fixed in: Protected Pages NES 7.2.5

Vulnerability Info

This high-severity vulnerability is found in all versions of the Drupal Protected Pages module for Drupal 7 sites.

‍

Steps To Reproduce

Create a Drupal 7 installation and install a Protected Pages module version that is vulnerable to the exploit, such as 7.2.4.
Install and enable Protected Pages.
Go to admin/people/permissions#module-protected_pages and set permissions.
Go to admin/config/system/protected_pages/settings and configure settings.
Add a basic page at node/add/page, say node/1.
Add this page to admin/config/system/protected_pages to protect it.
Open an incognito window and visit /node/1.
You should receive an Access Denied and be challenged with a login/password box.
Enter 10–20 incorrect passwords in quick succession (same IP/session). Observe that there is no lockout, delay, or “too many attempts” message; the form keeps accepting attempts.
Enter the correct password and gain access, showing that an attacker could brute-force until success.
Alternative: Use crunch to create a large list of potential passwords that you pass to THC-Hydra; use brute-force until you are let in.

‍

Addressing the Issue

Users of the affected components should apply one of the following:

Harden passwords by using strong (i.e. long) passwords and rotate them; avoid short/common secrets that make brute force trivial.
Add external rate limiting via WAF/reverse proxy rules to throttle POSTs to the protected pages.
Monitor logs and watch for repeated failed attempts to protected pages.

However, the above may not deter determined attackers and have trade-offs. Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

‍