vBulletin Pre-Auth RCE Vulnerability
Description
vBulletin versions 5.5.4 through 5.6.2 contain a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on the server. The flaw exists in the /ajax/render/widget_tabbedcontainer_tab_panel endpoint, which improperly handles the subWidgets parameter in POST requests. This vulnerability represents a patch bypass of the previously fixed CVE-2019-16759, where attackers can inject malicious PHP code through specially crafted template names that are then executed by the application.
Remediation
Apply the following remediation steps immediately:
1. Upgrade vBulletin: Update to vBulletin version 5.6.3 or later, which contains a complete fix for this vulnerability. Download the patch from the official vBulletin customer area.
2. Verify Installation: After upgrading, confirm the version by checking the footer of your vBulletin installation or reviewing the includes/version_vbulletin.php file.
3. Temporary Mitigation (if immediate patching is not possible): Implement web application firewall (WAF) rules to block POST requests to /ajax/render/widget_tabbedcontainer_tab_panel that contain suspicious patterns in the subWidgets parameter, particularly those attempting to reference template names with PHP code injection attempts.
4. Post-Remediation Actions: Review server logs for any suspicious POST requests to the affected endpoint prior to patching. If exploitation is suspected, conduct a full security audit, review file system integrity, check for web shells or backdoors, reset administrator credentials, and consider restoring from a known-good backup.