CYBER NEWS

CVE-2019-16759: vBulletin Zero-Day Impacts Millions of Users

A new zero-day vulnerability, CVE-2019-16759, was just unearthed in vBulletin, a proprietary Internet forum software package. The vulnerability was discovered by an anonymous security researcher who published the details about the exploit online, thus exposing vBulletin users to plenty of risks. As the CVE-2019-16759 vulnerability is currently unpatched, security researchers are now concerned that the publication of details about the exploit could harm internet forums due to cyberattacks.




What is the vBulletin zero-day all about?

The analysis of the published code reveals that the flaw could allow an attacker to execute shell commands on the server running the vBulletin installation. It also should be specified that the potential attacker doesn’t need a registered account on the forum to be targeted. This is also known as a pre-authentication remote code execution attack, which is considered one of the worst flaws against web-based platforms.

Tenable researchers were able to analyze and confirm that this exploit works on default configurations of vBulletin. Based on the public proof of concept code, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.

These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host, the researchers said.

At the time of publication, the CVE-2019-16759 zero-day vulnerability doesn’t have an official mitigation or fix. Security researchers are expecting vBulletin to respond with an advisory or patch soon.

Related:
CVE-2019-1367 is a new zero-day vulnerability of the remote code execution kind, for which an emergency patch was just issued.
CVE-2019-1367: Zero-Day in Internet Explorer, Patch Now

Who is at risk?

Even though a commercial product, vBulletin is currently the most popular web forum software package. Its market share appears to be larger than open-source solutions such as phpBB, XenForo, Simple Machines Forum, etc.

According to W3Techs, around 0.1% of all internet sites run a vBulletin forum. The percentage may look insignificant, but it actually impacts millions, if not billions, of internet users, ZDNet points out.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...