A hacker has released an exploit for an unpatched remote command execution vulnerability affecting the vBulletin forum software.
A proof-of-concept (PoC) exploit for the zero-day was published on the Full Disclosure mailing list by an individual who wanted to remain anonymous. It’s unclear why they have decided to release the information before vBulletin developers could create a patch.
The vulnerability, to which MITRE assigned the CVE identifier CVE-2019-16759, is said to affect vBulletin 5.x through 5.5.4 (the latest version), and it allows an unauthenticated attacker to execute arbitrary commands by sending a specially crafted HTTP POST request to the targeted vBulletin website.
Researchers at cybersecurity firm Tenable have analyzed the PoC exploit and have confirmed that it works on default vBulletin configurations.
“These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host,” Tenable said.
Others also confirmed that the exploit works.
There are roughly 20,000 websites currently powered by vBulletin, including some owned by important organizations. However, a majority use versions 3 and 4, and only around 1,100 use version 5, which is affected by this flaw. On the other hand, a researcher says he has tested many vBulletin 5.x installations and only some of them appear to be vulnerable to attacks.
Organizers of the DEF CON hacking conference have temporarily shut down the official DEF CON forum to test the impact of the vBulletin vulnerability and implement mitigations.
SecurityWeek has reached out to vBulletin developers for comment and information on the availability of a patch, but they have yet to respond.
Exploit acquisition firm Zerodium is currently offering up to $10,000 for remote code execution exploits targeting vBulletin, but this particular exploit might not be worth the top reward if it impacts a relatively small number of websites.
UPDATE. According to some reports, the vulnerability has already been exploited in the wild.
Related: vBulletin Patches Disclosed Vulnerabilities