A hacker has released an exploit for an unpatched remote command execution vulnerability affecting the vBulletin forum software.
A proof-of-concept (PoC) exploit for the zero-day was published on the Full Disclosure mailing list by an individual who wanted to remain anonymous. It’s unclear why they have decided to release the information before vBulletin developers could create a patch.
The vulnerability, to which MITRE assigned the CVE identifier CVE-2019-16759, is said to affect vBulletin 5.x through 5.5.4 (the latest version), and it allows an unauthenticated attacker to execute arbitrary commands by sending a specially crafted HTTP POST request to the targeted vBulletin website.
Researchers at cybersecurity firm Tenable have analyzed the PoC exploit and have confirmed that it works on default vBulletin configurations.
“These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host,” Tenable said.
Others also confirmed that the exploit works.
There are roughly 20,000 websites currently powered by vBulletin, including some owned by important organizations. However, a majority use versions 3 and 4, and only around 1,100 use version 5, which is affected by this flaw. On the other hand, a researcher says he has tested many vBulletin 5.x installations and only some of them appear to be vulnerable to attacks.
Organizers of the DEF CON hacking conference have temporarily shut down the official DEF CON forum to test the impact of the vBulletin vulnerability and implement mitigations.
SecurityWeek has reached out to vBulletin developers for comment and information on the availability of a patch, but they have yet to respond.
Exploit acquisition firm Zerodium is currently offering up to $10,000 for remote code execution exploits targeting vBulletin, but this particular exploit might not be worth the top reward if it impacts a relatively small number of websites.
UPDATE. According to some reports, the vulnerability has already been exploited in the wild.
Related: vBulletin Patches Disclosed Vulnerabilities
Related: vBulletin Resets Passwords After Server Hack
Related: Attackers Exploit vBulletin Flaw to Hack Servers
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
