Security News > 2020 > August > A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly
A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild.
In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day RCE vulnerability in vBulletin, identified as CVE-2019-16759, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum.
Hackers Actively Exploiting vBulletin Zero-Day Soon after the release of the PoC exploit code, hackers started exploiting the zero-day to target vBulletin sites.
Official vBulletin Patch and Mitigations The vBulletin team responded to the publicly released zero-day flaw immediately and released a new security patch that disables the PHP module in vBulletin software to address the issue, assuring its users that it will be removed entirely in the future release of vBulletin 5.6.4.
The forum maintainers advised developers to consider all older versions of vBulletin vulnerable and upgrade their sites to run vBulletin 5.6.2 as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/vN8g54ATiK8/vBulletin-vulnerability-exploit.html
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- PoC exploit for SysAid pre-auth RCE released, upgrade quickly! (source)
- Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell (source)
- Week in review: Microsoft patches 5 actively exploited 0-days, recently fixed Chrome vulnerability exploited (source)
- Google quietly pushes emergency fix for Chrome 0-day as exploit runs wild (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |