Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

vBulletin Patches Vulnerability Exploited in the Wild

Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.

Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.

An anonymous hacker published a proof-of-concept (PoC) exploit for the zero-day on the Full Disclosure mailing list on September 23. The security hole is tracked as CVE-2019-16759 and it affects vBulletin 5.x through 5.5.4.

The vulnerability can be exploited by remote, unauthenticated attackers to execute PHP code and shell commands on the underlying server by sending specially crafted HTTP POST requests.

vBulletin 5.5.4 Patch Level 1, 5.5.3 Patch Level 1 and 5.5.2 Patch Level 1 should address the vulnerability. Users of versions older than 5.5.2 have been advised to upgrade to a newer release as soon as possible. vBulletin Cloud websites have received the patch automatically.

Website security solutions providers have also pushed out updates to their products to detect and block attacks exploiting the vulnerability. Someone also created an unofficial patch before vBulletin released an update, and web security firm Sucuri has provided users with a temporary solution, but warned that it could break legitimate functionality.

Several organizations have reported seeing attacks attempting to exploit CVE-2019-16759. Sucuri said it observed an attack where hackers leveraged the vulnerability to take control of vulnerable websites while making some changes that would prevent others from hijacking the site using CVE-2019-16759.

Some vBulletin forum administrators have also reported being warned about the presence of malicious code on their websites following the disclosure of the vulnerability.

Bad Packets reported seeing “opportunistic mass exploitation” that included “coordinated botnet activity and miscellaneous threat actors checking for hosts vulnerable RCE.”

Advertisement. Scroll to continue reading.

GreyNoise Intelligence has observed attacks originating from “several hundred devices.”

There are tens of thousands of forums powered by vBulletin, including ones belonging to important organizations, but only a relatively small percentage use the vulnerable version 5. Some websites show that only roughly 1,100 forums use vBulletin 5.

Some experts have criticized vBulletin developers for their slow response.

While it’s unclear why the anonymous hacker decided to release the PoC exploit for CVE-2019-16759, exploit acquisition firm Zerodium, which currently offers up to $10,000 for vBulletin exploits, said “many researchers were selling this exploit for years” and the company’s customers have allegedly known about it for the past 3 years.

Related: vBulletin Patches Disclosed Vulnerabilities

Related: vBulletin Resets Passwords After Server Hack

Related: Attackers Exploit vBulletin Flaw to Hack Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.