Skip to main content

Huge vBulletin flaw could affect millions of sites

(Image credit: Image source: Shutterstock/Sergey Nivens)

One of the most serious security flaws currently online has been officially patched after being uncovered by security researchers.

The vBulletin zero-day (opens in new tab) remote code execution allows malicious actors to execute any command on the site, meaning downloading malware (opens in new tab), tweaking the site's code, or even deleting the entire MySQL database. The latter actually happened. As it turns out, this flaw has been known for years, and hackers have been actively exploiting it. This was confirmed by Zerodium CEO, Chaouki Bekrar, who tweeted that his company knew about the flaw for three years. He said that ‘many researchers’ have been selling it for years.

vBulletin was relatively slow to react. At first, there was no patch and the company behind the platform was relatively tight-lipped. This gave enough time for enthusiasts such as security researcher Nick Cano (opens in new tab) to build their own patches, and apparently – Cano’s is pretty easy to use.

You can read more about it on this link (opens in new tab).

Soon afterwards, vBulletin patches the issue as well, and encourages everyone to upgrade their forums to version 5.5.2, 5.5.3 and 5.5.4.

vBulletin is one of the world's most popular forum platforms, used by thousands of websites.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.