This is a really nice write-up of how a remote HTTP(s) endpoint could be abused through an unserialize() vulnerability all the way to remote code execution. Requires a lot of internal knowledge of Drupal to pull this of.
Love the technical details and POC at the bottom!
Upon auditing Drupal’s Services module, the Ambionics team came across an insecure use of unserialize(). The exploitation of the vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution.