Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.
An anonymous hacker published a proof-of-concept (PoC) exploit for the zero-day on the Full Disclosure mailing list on September 23. The security hole is tracked as CVE-2019-16759 and it affects vBulletin 5.x through 5.5.4.
The vulnerability can be exploited by remote, unauthenticated attackers to execute PHP code and shell commands on the underlying server by sending specially crafted HTTP POST requests.
vBulletin 5.5.4 Patch Level 1, 5.5.3 Patch Level 1 and 5.5.2 Patch Level 1 should address the vulnerability. Users of versions older than 5.5.2 have been advised to upgrade to a newer release as soon as possible. vBulletin Cloud websites have received the patch automatically.
Website security solutions providers have also pushed out updates to their products to detect and block attacks exploiting the vulnerability. Someone also created an unofficial patch before vBulletin released an update, and web security firm Sucuri has provided users with a temporary solution, but warned that it could break legitimate functionality.
Several organizations have reported seeing attacks attempting to exploit CVE-2019-16759. Sucuri said it observed an attack where hackers leveraged the vulnerability to take control of vulnerable websites while making some changes that would prevent others from hijacking the site using CVE-2019-16759.
Some vBulletin forum administrators have also reported being warned about the presence of malicious code on their websites following the disclosure of the vulnerability.
Bad Packets reported seeing “opportunistic mass exploitation” that included “coordinated botnet activity and miscellaneous threat actors checking for hosts vulnerable RCE.”
GreyNoise Intelligence has observed attacks originating from “several hundred devices.”
There are tens of thousands of forums powered by vBulletin, including ones belonging to important organizations, but only a relatively small percentage use the vulnerable version 5. Some websites show that only roughly 1,100 forums use vBulletin 5.
Some experts have criticized vBulletin developers for their slow response.
While it’s unclear why the anonymous hacker decided to release the PoC exploit for CVE-2019-16759, exploit acquisition firm Zerodium, which currently offers up to $10,000 for vBulletin exploits, said “many researchers were selling this exploit for years” and the company’s customers have allegedly known about it for the past 3 years.
Related: vBulletin Patches Disclosed Vulnerabilities
Related: vBulletin Resets Passwords After Server Hack
Related: Attackers Exploit vBulletin Flaw to Hack Servers

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
