1 min read

Commentary on vBulletin flaw

An anonymous security researcher has published details about a zero-day in vBulletin. This has raised concerns amongst security experts that the publication of details about this unpatched vulnerability could trigger a wave of forum hacks across the internet, with hackers taking over forum installations and stealing user information.

The story has since progressed and there is now a script to mass identify vulnerable systems as Gavin Millard, VP of Intelligence, Tenable,

Comment by Gavin Millard, VP of Intelligence, Tenable

Given that this vBulletin flaw offers remote code execution, and that it can be paired with the ability to leverage Shodan [the internet search tool] to find potential targets, makes it critically important that security professionals take action.

With just a few taps of the keyboard anyone could take a small piece of code, gather the IP addresses of 1000s of vulnerable systems, and automatically exploit them.

Pair that with the fact that, post exploitation, you can run any command against the compromised device and we could easily see mass attacks on sites running this ubiquitous news forum software.

Organisations and hobbyists should drop everything to verify what version of vBulletin they are running and if affected, and until a patch is available, I would take the unprecedented move to take the system offline. It really is that bad.”