Threat Watch

vBulletin Releases Patch for New Zero-Day

A new zero-day vulnerability for the popular forum software vBulletin was posted online yesterday, August 9th. The exploit is considered extremely simple to use and allows for unauthenticated Remote Code Execution (RCE). Unhappy with the way vBulletin handled the previous version of this exploit (CVE-2019-16759) a year prior, Amir Etemadieh (@Zenofex) decided to publicize the exploit rather than quietly disclose it. Within hours after publishing the blog post, several sites had come under attack, including the forum for defcon.org. Thankfully, vBulletin has provided a patch for the affected versions and will be removing the vulnerable module in a future update.

ANALYST NOTES

Binary Defense highly recommends that any site administrators running vBulletin 5.6.2 and below visit the “Member’s Area” at https://members.vbulletin.com/patches.php. Patches have been made available for versions 5.6.0 through 5.6.2. Administrators of older versions are strongly urged to update to the latest version.

Source: https://www.bleepingcomputer.com/news/security/vbulletin-fixes-ridiculously-easy-to-exploit-zero-day-rce-bug/

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch

https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/