The announcement said the vulnerability, within multiple subsystems, could be exploited to execute code remotely on systems running Drupal 7.x and 8.x, adding a few hours after initial publication that it was being exploited in the wild.
The Australian Government sites run a customised version of Drupal known as govCMS which has been built by the Boston-based open source firm Acquia.
"This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised," the advisory said, without spelling out any of the technical details.
There was an indication of panic among the Drupal team, with the announcement saying: "If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely.
And further it said: "These patches will only work if your site already has the fix from SA-CORE-2018-002 (the flaw announced on 29 March) applied. (If your site does not have that fix, it may already be compromised.)"
A link to an earlier advisory issued on 13 April said: "Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.
"Simply updating Drupal will not remove backdoors or fix compromised sites. You should assume that the host is also compromised and that any other sites on a compromised host are compromised as well."