vBulletin Zero Day Vulnerability Released by Anonymous Source

vBulletin Zero Day Vulnerability Released by Anonymous Source


UPDATE: Looks like you can now get a patch HERE


An anonymous source has released the details of a zero day vulnerability for popular vBulletin forum platform leaving potentially tens of thousands of sites and millions of users at risk.

The information was published in a post to the Full Disclosure mailing list  explaining how users can use a simple HTTP POST request to execute commands remotely on the targeted vBulletin hosts without any authentication. This may allow an attacker to steal or tamper with data or even launch assaults on other systems depending on the level of credentials.

Notable vBulletin customers that could be effected include; Denver Broncos, Pearl Jam, EA, Steam and even NASA. Many dark web forums also often run on vBulletin.

It is not clear if vBulletin were approached with this vulnerability prior to release or the reason for the anonymous researcher releasing the information in this way. Def Con highlighted on Twitter that the Zerodium price chart currently values this exploit anywhere up to $10,000.

Some good news comes in the form of that this zero day will only impact vBulletin version 5 forums. Any forums running earlier versions appear to be safe. Users are being advised to keep a close eye on their servers.

Some more good news is that AppCheck has already released a plug-in for this specific vulnerability. More details below.


AppCheck vBulletin Scan Plug-in

Earlier today AppCheck released a new scan plug-in to it’s customers to run quick scans and assess their level of vulnerability in relation this the vBulletin 5.x 0day pre-auth RCE exploit – CVE-2019-16759.

AppCheck’s Head of Development states: “We have confirmed the exploit does work and is an unauthenticated RCE that attackers can exploit. Depending on the user level they access this could range from simply accessing data, editing it or even full system takeover. Earlier today we have included a plug-in for our customers to identify and safely exploit this vulnerability.”

AppCheck regular scans also pick up pre-authentication remote code execution similar to this one.


Unofficial Patch Released

A researcher has created what appears to be an unofficial patch. Stating ‘I have no clue what functionality this breaks other than the [vuln entrypoint]. Broken is better than insecure […]’ Use at your own risk.

More details here.

Other fixes include completely taking down the forum until a fix is released.


Additional Information

As always, if you require any more information on this topic or want to see what vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: info@appcheck-ng.com


Would you like a free scan of your websites and applications?

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial