Developers of the vBulletin forum software have rushed to release a patch for a recently disclosed remote command execution vulnerability, but the flaw has already been exploited in the wild, with some claiming that its existence has been known for years.
An anonymous hacker published a proof-of-concept (PoC) exploit for the zero-day on the Full Disclosure mailing list on September 23. The security hole is tracked as CVE-2019-16759 and it affects vBulletin 5.x through 5.5.4.
The vulnerability can be exploited by remote, unauthenticated attackers to execute PHP code and shell commands on the underlying server by sending specially crafted HTTP POST requests.
vBulletin 5.5.4 Patch Level 1, 5.5.3 Patch Level 1 and 5.5.2 Patch Level 1 should address the vulnerability. Users of versions older than 5.5.2 have been advised to upgrade to a newer release as soon as possible. vBulletin Cloud websites have received the patch automatically.
Website security solutions providers have also pushed out updates to their products to detect and block attacks exploiting the vulnerability. Someone also created an unofficial patch before vBulletin released an update, and web security firm Sucuri has provided users with a temporary solution, but warned that it could break legitimate functionality.
Several organizations have reported seeing attacks attempting to exploit CVE-2019-16759. Sucuri said it observed an attack where hackers leveraged the vulnerability to take control of vulnerable websites while making some changes that would prevent others from hijacking the site using CVE-2019-16759.
Some vBulletin forum administrators have also reported being warned about the presence of malicious code on their websites following the disclosure of the vulnerability.
Bad Packets reported seeing “opportunistic mass exploitation” that included “coordinated botnet activity and miscellaneous threat actors checking for hosts vulnerable RCE.”
GreyNoise Intelligence has observed attacks originating from “several hundred devices.”
There are tens of thousands of forums powered by vBulletin, including ones belonging to important organizations, but only a relatively small percentage use the vulnerable version 5. Some websites show that only roughly 1,100 forums use vBulletin 5.
Some experts have criticized vBulletin developers for their slow response.
While it’s unclear why the anonymous hacker decided to release the PoC exploit for CVE-2019-16759, exploit acquisition firm Zerodium, which currently offers up to $10,000 for vBulletin exploits, said “many researchers were selling this exploit for years” and the company’s customers have allegedly known about it for the past 3 years.
Related: vBulletin Patches Disclosed Vulnerabilities