cbcvebase.
CVE-2020-12720
published 2020-05-08

CVE-2020-12720: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
88.95%
99.8th percentile
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Affected

4 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin>= 5.0.0 < 5.5.65.5.6

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/api/content_infraction/getIndexableContent
url/ajax/api/content_attach/getIndexableContent
commandcurl "http://localhost/vb5/ajax/api/content_attach/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=SQLi"
commandnodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-
yara
words: vbulletinrce
  • Look for POST requests to /ajax/api/content_infraction/getIndexableContent with the header X-Requested-With: XMLHttpRequest and a body containing a UNION-based SQL injection payload in the nodeId[nodeid] parameter.
  • Also monitor POST requests to /ajax/api/content_attach/getIndexableContent with nodeId[nodeid] parameter containing SQL injection payloads — an alternate endpoint referenced in PoC.
  • Successful exploitation response contains the string 'vbulletinrce' — use this as a detection signature in HTTP response bodies.
  • The exploit achieves unauthenticated SQL injection to extract admin credentials and security token, then proceeds to RCE — monitor for admin password reset activity following SQLi attempts.
  • Use Shodan/FOFA queries to identify exposed vBulletin instances: search for http.title or http.html containing 'powered by vbulletin'.
  • The exploit creates a backdoor page on the server after admin takeover — monitor for unexpected new PHP files created in the vBulletin web root.
  • ·The CVE is officially classified as 'incorrect access control' but patch diffing revealed the actual fixes address SQL injection vulnerabilities — detection should focus on SQLi patterns, not just access control bypass.
  • ·The exploit is unauthenticated — no session or login is required to trigger the SQL injection, meaning perimeter controls relying on authentication state will not block initial exploitation.
  • ·Affected versions span multiple release branches (5.5.6 before pl1, 5.6.0 before pl1, 5.6.1 before pl1) — ensure detection/patching covers all three branches, not just 5.6.1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.