CVE-2020-17496
published 2020-08-12CVE-2020-17496: vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
87.74%
99.7th percentile
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | 5.5.4 – 5.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
othersubWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;↗
commandcurl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec("id"); exit;'↗
- →Detect HTTP POST requests to /ajax/render/widget_tabbedcontainer_tab_panel with body parameters containing 'subWidgets[0][template]=widget_php' — this is the core exploit delivery mechanism for CVE-2020-17496. ↗
- →Look for the parameter combination 'subWidgets[0][template]=widget_php' alongside 'subWidgets[0][config][code]=' in POST body — this loads the widget_php template to bypass the CVE-2019-16759 patch and reach an eval call with user input. ↗
- →Shodan/FOFA queries for exposed vBulletin instances: search for 'http.title:"powered by vbulletin"', 'http.html:"powered by vbulletin"', or 'http.component:"vbulletin"' to identify potentially vulnerable targets. ↗
- →The vulnerability is pre-authentication (no credentials required); any unauthenticated POST to the widget_tabbedcontainer_tab_panel endpoint with widget_php template parameter should be treated as a high-confidence attack indicator. ↗
- ·The vulnerability only affects vBulletin versions 5.5.4 through 5.6.2; versions outside this range (including older 5.x branches) may still be vulnerable but are not confirmed by the patch scope. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvwh-2m72-5jm7: vBulletin 5
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-7373 [CRITICAL] CWE-77 GHSA-mvwh-2m72-5jm7: vBulletin 5
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.
GHSA
GHSA-j77p-6wx9-cjqq: vBulletin 5
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-17496 [CRITICAL] CWE-74 GHSA-j77p-6wx9-cjqq: vBulletin 5
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
VulnCheck
vBulletin PHP Module Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-17496 [CRITICAL] CWE-74 vBulletin PHP Module Remote Code Execution Vulnerability
vBulletin PHP Module Remote Code Execution Vulnerability
The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759.
Affected: vBulletin vBulletin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_
CISA
vBulletin PHP Module Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] CWE-74 vBulletin PHP Module Remote Code Execution Vulnerability
Vulnerability: vBulletin PHP Module Remote Code Execution Vulnerability
Affected: vBulletin vBulletin
The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-17496
Remediation Due Date: 2022-05-03
No detection rules found.
Nuclei
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
nuclei·CVSS 9.8
CVE-2020-17496 [CRITICAL] vBulletin 5.5.4 - 5.6.2- Remote Command Execution
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Template:
id: CVE-2020-17496
info:
name: vBulletin 5.5.4 - 5.6.2- Remote Command Execution
author: pussycat0x
severity: critical
description: 'vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.'
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation:
Metasploit
vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
metasploit·CVSS 9.8
CVE-2019-16759 [CRITICAL] vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. This causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
One Year Later: What Can We Learn from Zerologon?
blogs_tenable·2021-08-11
One Year Later: What Can We Learn from Zerologon?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Unit42
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
blogs_unit42·2020-09-15·CVSS 9.8
CVE-2021-24074 [CRITICAL] Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Brock Mammen
Yue Guan
Yu Fu
Published: September 15, 2020
Trend Reports
Vulnerabilities
CVE-2021-24074
CVE-2021-24086
CVE-2021-24094
Microsoft
Windows
## Executive Summary
From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823 , both command injection vulnerabilities in PHP CGI scripts
Unit42
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
blogs_unit42·2020-09-15·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
## Executive Summary
From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823, both command injection vulnerabilities in PHP CGI scripts. This indicates that attackers are looking for exploits with high impact.
We analyzed the network attacks in terms of the countries from which they originated. Of note, China overwhelmingly had the highest activity, followed by Russia and the United States. This may be in part because of the large population that China,
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability, analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites.
Recently, Unit 42 researchers found exploits in the wild leveraging the vBulletin pre-auth RCE vulnerability CVE-2020-17496. The exploits are a bypass of the fix for the previous vulnerability, CVE-2019-16759, which allows attackers to send a crafted HTTP request wi
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Haozhe Zhang
Qi Deng
Zhibin Zhang
Ruchna Nigam
Published: September 3, 2020
Threat Research
Vulnerabilities
CVE-2019-16759
CVE-2020-17496
Exploits
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability , analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organi
Tenable
CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
blogs_tenable·2020-08-10·CVSS 9.8
[CRITICAL] CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/https://cwe.mitre.org/data/definitions/78.htmlhttps://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patchhttps://seclists.org/fulldisclosure/2020/Aug/5https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/https://cwe.mitre.org/data/definitions/78.htmlhttps://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patchhttps://seclists.org/fulldisclosure/2020/Aug/5https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17496
2020-08-12
Published
2021-11-03
Added to CISA KEV
Exploited in the wild