Security News > 2020 > August > Exploits for vBulletin zero-day released, attacks are ongoing
The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.
It's a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released.
New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible," they advised, and noted that vBulletin Cloud sites are not affected by this issue.
vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP..
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/nYdf7usfB0Q/
Related news
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- SAP fixes suspected Netweaver zero-day exploited in attacks (source)
- Google: 97 zero-days exploited in 2024, over 50% in spyware attacks (source)
- Enterprise tech dominates zero-day exploits with no signs of slowdown (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |