The vulnerability, called CVE-2019-6342, has been described as "critical" severity. Drupal developers use the NIST's Common Misuse Scoring System to determine the vulnerability risk level. This means that the classification as "critical" is second in the risk scale, after "very critical".
Dave Botsch was the one who discovered and indicated the vulnerability to Drupal developers and so far there is no evidence of exploitation for malicious purposes. However, this security gap could be a tempting target for hackers, as it affects the default / standard configurations, no authentication is required, and exploitation requires minimal interaction with the user.
The defect only affects Drupal 8.7.4. Drupal 8.7.3 and earlier versions, 8.6.x and earlier and 7.x are not affected. Users who can not update the 8.7.5 version to fix the vulnerability can prevent possible attacks by disabling the Workspaces module.
The US Department of Homeland Security (DHS) advises users to read Drupal recommendations and take the necessary action.
Exploiting Drupal's vulnerabilities is not new. Earlier this year, the attackers began exploiting the CVE-2019-6340 defect to divide cryptocurrency miners and other payloads, just days after the release of an updated code.
Also last year hackers exploited two vulnerabilities known as Drupalgeddon2 and Drupalgeddon3. Attackers used vulnerabilities to share RATs, cryptocurrency miners and technical support scams.