Comments: vBulletin Flaw Zero-Day Now Has Script To Mass Identify Potential Victims

It has been reported that an anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to hijack servers. No patch is known to be available.The zero-day allows an attacker to execute shell commands on the server running a vBulletin installation. The attacker doesn’t need to have an account on the targeted forum.

Experts Comments

September 25, 2019
Prash Somaiya
Technical Program Manager
HackerOne
Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date. That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0. Admins and site owners using vBulletin should check what version they're running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major.....Read More
Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date. That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0. Admins and site owners using vBulletin should check what version they're running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major problems.  Read Less
September 25, 2019
Ilia Kolochenko
Founder and CEO
ImmuniWeb
This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls (WAF) will block its exploitation. These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software. We should expect a tornado of automated hacking and web server backdooring campaigns to start now. Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely.....Read More
This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls (WAF) will block its exploitation. These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software. We should expect a tornado of automated hacking and web server backdooring campaigns to start now. Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely while the vendor is working on an emergency patch. The motives of spontaneous disclosure remain unclear, such a vulnerability can worth quite a lot on the Black Market given the important number of high-profile targets using this forum. It can be a junior security enthusiast showcasing his/her skills for fun, as well as a professional cyber gang distracting everyone’s attention from something else.  Read Less
September 25, 2019
Gavin Millard
VP of intelligence
Tenable
Given that this vBulletin flaw offers remote code execution, and that it can be paired with the ability to leverage Shodan [the internet search tool] to find potential targets, makes it critically important that security professionals take action. With just a few taps of the keyboard, anyone could take a small piece of code, gather the IP addresses of 1000s of vulnerable systems, and automatically exploit them. Pair that with the fact that, post-exploitation, you can run any command against .....Read More
Given that this vBulletin flaw offers remote code execution, and that it can be paired with the ability to leverage Shodan [the internet search tool] to find potential targets, makes it critically important that security professionals take action. With just a few taps of the keyboard, anyone could take a small piece of code, gather the IP addresses of 1000s of vulnerable systems, and automatically exploit them. Pair that with the fact that, post-exploitation, you can run any command against the compromised device and we could easily see mass attacks on sites running this ubiquitous news forum software. Organisations and hobbyists should drop everything to verify what version of vBulletin they are running and if affected, and until a patch is available, I would take the unprecedented move to take the system offline. It really is that bad.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.