Security News > 2020 > August > vBulletin Patches Zero-Day Exploited in Attacks
vBulletin developers on Monday rushed to address a zero-day remote code execution vulnerability in the forum software, one day after the issue was publicly disclosed.
On Sunday, security researcher Amir Etemadieh published information on a new vulnerability in vBulletin, explaining how it can be abused to bypass the patch released in September 2019 for CVE-2019-16759, and also providing proof-of-concept code that demonstrates how easily the flaw can be exploited.
Etemadieh, who identified other severe vulnerabilities in vBulletin before, did not contact vBulletin prior to disclosing the new vulnerability, which does not have a CVE identifier yet.
On Monday, vBulletin announced that patches were available for the 5.6.0, 5.6.1, and 5.6.2 versions of vBulletin Connect.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible," vBulletin said.
News URL
Related news
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |