CVE-2020-12720
published 2020-05-08CVE-2020-12720: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
88.95%
99.8th percentile
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | >= 5.0.0 < 5.5.6 | 5.5.6 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl "http://localhost/vb5/ajax/api/content_attach/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=SQLi"↗
commandnodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-↗
yara↗
words: vbulletinrce
- →Look for POST requests to /ajax/api/content_infraction/getIndexableContent with the header X-Requested-With: XMLHttpRequest and a body containing a UNION-based SQL injection payload in the nodeId[nodeid] parameter. ↗
- →Also monitor POST requests to /ajax/api/content_attach/getIndexableContent with nodeId[nodeid] parameter containing SQL injection payloads — an alternate endpoint referenced in PoC. ↗
- →Successful exploitation response contains the string 'vbulletinrce' — use this as a detection signature in HTTP response bodies. ↗
- →The exploit achieves unauthenticated SQL injection to extract admin credentials and security token, then proceeds to RCE — monitor for admin password reset activity following SQLi attempts. ↗
- →Use Shodan/FOFA queries to identify exposed vBulletin instances: search for http.title or http.html containing 'powered by vbulletin'. ↗
- →The exploit creates a backdoor page on the server after admin takeover — monitor for unexpected new PHP files created in the vBulletin web root. ↗
- ·The CVE is officially classified as 'incorrect access control' but patch diffing revealed the actual fixes address SQL injection vulnerabilities — detection should focus on SQLi patterns, not just access control bypass. ↗
- ·The exploit is unauthenticated — no session or login is required to trigger the SQL injection, meaning perimeter controls relying on authentication state will not block initial exploitation. ↗
- ·Affected versions span multiple release branches (5.5.6 before pl1, 5.6.0 before pl1, 5.6.1 before pl1) — ensure detection/patching covers all three branches, not just 5.6.1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgcf-v2qh-fw5r: vBulletin before 5
ghsa_unreviewed·2022-05-24
CVE-2020-12720 [HIGH] CWE-863 GHSA-rgcf-v2qh-fw5r: vBulletin before 5
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
VulnCheck
vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-12720 [CRITICAL] vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2020-12720; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-12720; https://dashboard.shadowserver.org/s
No detection rules found.
Exploit-DB
vBulletin 5.6.1 - 'nodeId' SQL Injection
exploitdb·2020-05-15·CVSS 9.8
CVE-2020-12720 [CRITICAL] vBulletin 5.6.1 - 'nodeId' SQL Injection
vBulletin 5.6.1 - 'nodeId' SQL Injection
---
# Exploit Title: vBulletin 5.6.1 - 'nodeId' SQL Injection
# Date: 2020-05-15
# Exploit Author: Photubias
# Vendor Advisory: [1] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1
# Version: vBulletin v5.6.x (prior to Patch Level 1)
# Tested on: vBulletin v5.6.1 on Debian 10 x64
# CVE: CVE-2020-12720 vBulletin v5.6.1 (SQLi) with path to RCE
#!/usr/bin/env python3
'''
Copyright 2020 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in
Metasploit
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
metasploit
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier This module uses the getIndexableContent vulnerability to reset the administrators password, it then uses the administrators login information to achieve RCE on the target. This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux distribution.
Metasploit
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
metasploit
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options). This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux.
Nuclei
vBulletin SQL Injection
nuclei·CVSS 9.8
CVE-2020-12720 [CRITICAL] vBulletin SQL Injection
vBulletin SQL Injection
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.
Template:
id: CVE-2020-12720
info:
name: vBulletin SQL Injection
author: pdteam
severity: critical
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying system.
remediation: |
Apply the latest security patch or upgrade to a non-vulnerable version of vBulletin.
reference:
- https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
- https://nvd.nist.gov/vuln/detail/CVE-2020-1272
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Tenable
CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
blogs_tenable·2020-08-10·CVSS 9.8
[CRITICAL] CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-12720: vBulletin Urges Users to Patch Undisclosed Security Vulnerability
blogs_tenable·2020-05-08·CVSS 9.8
[CRITICAL] CVE-2020-12720: vBulletin Urges Users to Patch Undisclosed Security Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.htmlhttp://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.htmlhttps://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-controlhttps://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.htmlhttp://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.htmlhttps://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-controlhttps://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1
2020-05-08
Published
Exploited in the wild