Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites
An anonymous security researcher has published details about a zero-day in vBulletin. Despite being a commercial product, vBulletin is today's most popular web forum software package, with a larger market share than open-source solutions like phpBB, XenForo, Simple Machines Forum, MyBB, and others. According to W3Techs, around 0.1% of all internet sites run a vBulletin forum. The percentage looks small, but it actually impacts billions of internet users.
This is a critical vulnerability as it allows an attacker to execute any command on the site, which could allow them to download malware, reverse shells, or tamper with the site's code. After news broke about this vulnerability, Chaouki Bekrar, the CEO of the Zerodium exploit acquisition company, tweeted that his company has known about this exploit for three years and that many researchers have been selling the exploit for some time. So while this public disclosure may have increased the uptick of attacks using this vulnerability, it has most likely been secretly used for some time.
The vBulletin team has released a patch for this vulnerability, which is now tracked under the CVE-2019-16759. ZDNet has also confirmed with Bad Packets, BinaryEdge, and GeryNoise that hackers are now actively using this vulnerability to attack vulnerable forums.