Security News > 2020 > August > A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly

A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild.

In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day RCE vulnerability in vBulletin, identified as CVE-2019-16759, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum.

Hackers Actively Exploiting vBulletin Zero-Day Soon after the release of the PoC exploit code, hackers started exploiting the zero-day to target vBulletin sites.

Official vBulletin Patch and Mitigations The vBulletin team responded to the publicly released zero-day flaw immediately and released a new security patch that disables the PHP module in vBulletin software to address the issue, assuring its users that it will be removed entirely in the future release of vBulletin 5.6.4.

The forum maintainers advised developers to consider all older versions of vBulletin vulnerable and upgrade their sites to run vBulletin 5.6.2 as soon as possible.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/vN8g54ATiK8/vBulletin-vulnerability-exploit.html