A zero-day exploit has been found by an unnamed bug hunter that affects versions 5.0.0 through 5.5.4 of vBulletin’s forum software and can be carried out over the internet in an effort to hijack servers. Last night, it was revealed that a regular HTTP POST request is all it takes for an attacker to be able to execute malicious commands without authentication. Through these efforts, attackers would be able to control the servers behind the forum software and carry out criminal activity such as stealing data, tampering with information, and launching assaults on other systems. What’s most shocking is that it can be done using 20 lines or less of Python code, making it an extremely simple yet very effective tactic. vBulletin has been attempted to be reached for comment but have yet to make any mention of the instance–meaning no patch is currently available. This puts a large amount of their customer base at risk, which includes major corporations, sports organizations, and entertainment firms. It will be interesting to see how long vBulletin takes with a response and what the total damage will be when this is said and done.
Analyst Notes
Until this issue is mitigated, entities using version 5 or higher of vBulletin should watch their servers very closely for attempts of exploiting this vulnerability. It may even be safer at this time to simply stop using it until changes are made.
