Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



vBulletin Patches Vulnerability Exploited in the Wild

Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.

Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.

An anonymous hacker published a proof-of-concept (PoC) exploit for the zero-day on the Full Disclosure mailing list on September 23. The security hole is tracked as CVE-2019-16759 and it affects vBulletin 5.x through 5.5.4.

The vulnerability can be exploited by remote, unauthenticated attackers to execute PHP code and shell commands on the underlying server by sending specially crafted HTTP POST requests.

vBulletin 5.5.4 Patch Level 1, 5.5.3 Patch Level 1 and 5.5.2 Patch Level 1 should address the vulnerability. Users of versions older than 5.5.2 have been advised to upgrade to a newer release as soon as possible. vBulletin Cloud websites have received the patch automatically.

Website security solutions providers have also pushed out updates to their products to detect and block attacks exploiting the vulnerability. Someone also created an unofficial patch before vBulletin released an update, and web security firm Sucuri has provided users with a temporary solution, but warned that it could break legitimate functionality.

Several organizations have reported seeing attacks attempting to exploit CVE-2019-16759. Sucuri said it observed an attack where hackers leveraged the vulnerability to take control of vulnerable websites while making some changes that would prevent others from hijacking the site using CVE-2019-16759.

Some vBulletin forum administrators have also reported being warned about the presence of malicious code on their websites following the disclosure of the vulnerability.

Advertisement. Scroll to continue reading.

Bad Packets reported seeing “opportunistic mass exploitation” that included “coordinated botnet activity and miscellaneous threat actors checking for hosts vulnerable RCE.”

GreyNoise Intelligence has observed attacks originating from “several hundred devices.”

There are tens of thousands of forums powered by vBulletin, including ones belonging to important organizations, but only a relatively small percentage use the vulnerable version 5. Some websites show that only roughly 1,100 forums use vBulletin 5.

Some experts have criticized vBulletin developers for their slow response.

While it’s unclear why the anonymous hacker decided to release the PoC exploit for CVE-2019-16759, exploit acquisition firm Zerodium, which currently offers up to $10,000 for vBulletin exploits, said “many researchers were selling this exploit for years” and the company’s customers have allegedly known about it for the past 3 years.

Related: vBulletin Patches Disclosed Vulnerabilities

Related: vBulletin Resets Passwords After Server Hack

Related: Attackers Exploit vBulletin Flaw to Hack Servers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.