Attackers Are Quick to Exploit vBulletin’s Latest 0-day Remote Code Execution Vulnerability | Imperva

Number of similar observed requests: 3,000+Explanation: The attacker is likely testing the exploit by executing the md5 function on a given string. If the server returns the md5 hash the exploit has worked.


A Python-based exploit, which can easily be used by low skilled attackers is now publicly available for anyone to exploit this 0-day vulnerability, which has been assigned CVE-2019-16759.


The exploit for this vulnerability enables an attacker to generate a post request to the vulnerable instance of vBulletin, containing the parameter ‘widgetConfig’ which is parsed on the server and evaluated without being sanitized. For example: The attack pattern triggered mitigation rules on our Cloud WAF, based on known existing attack patterns as well as on data we’ve collected on malicious source IPs. This allowed Imperva to observe and block the attack as it occurred, within 24 hours of the vulnerability’s publication. The rules in question matched against known malicious Remote Code Execution patterns present in the body of the request.


The vulnerability exists where URL parameters are passed to a widget file within the forum software itself. These parameters are then parsed on the server without any security checks – the malicious attacker can then inject commands and is able to remotely execute code on the application server.


On Monday 23rd September 2019, an exploit was published for a vulnerability found within vBulletin (versions 5.0.0 to 5.5.4), allowing malicious attackers to perform authentication-free Remote Code Execution on the origin server. Alongside the exploit, “google dorks” – which allow attackers to find potentially vulnerable instances of the service in the wild – were also published.