Drupal released a security update to fix a critical vulnerability (CVE-2018-7602). Multiple attack vectors could be adopted to exploit the vulnerabilities.
Please also note that the support of Drupal 6 is ceased and no security updates will be provided. Users should arrange migrating to the latest version of Drupal or other supported technology.
A successful attack could lead to arbitrary code execution and take control of an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2018-002
https://www.drupal.org/sa-core-2018-004
https://groups.drupal.org/security/faq-2018-002
https://www.hkcert.org/my_url/en/alert/18042601
https://www.us-cert.gov/ncas/current-activity/2018/04/25/Drupal-Releases-Critical-Security-Updates
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602