CVE-2020-7373
📋 TL;DR
CVE-2020-7373 is a remote command execution vulnerability in vBulletin forums that allows attackers to execute arbitrary code on affected servers. This affects vBulletin versions 5.5.4 through 5.6.2. The vulnerability exists due to incomplete patching of CVE-2019-16759.
💻 Affected Systems
- vBulletin
📦 What is this software?
Vbulletin by Vbulletin
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to website defacement, data theft, or installation of backdoors.
If Mitigated
Attackers can still attempt exploitation but will be blocked by proper input validation and security controls.
🎯 Exploit Status
Metasploit module available. Exploitation requires sending crafted subWidgets data to ajax/render/widget_tabbedcontainer_tab_panel endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vBulletin 5.6.3 and later
Vendor Advisory: https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
Restart Required: No
Instructions:
1. Download vBulletin 5.6.3 or later from official vendor. 2. Backup current installation. 3. Upload new files overwriting existing installation. 4. Run upgrade script if required.
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to the vulnerable ajax/render/widget_tabbedcontainer_tab_panel endpoint
# For Apache: add to .htaccess
RewriteEngine On
RewriteRule ^ajax/render/widget_tabbedcontainer_tab_panel - [F,L]
# For Nginx: add to server block
location ~ ^/ajax/render/widget_tabbedcontainer_tab_panel {
deny all;
}
🧯 If You Can't Patch
- Implement WAF rules to block malicious requests to ajax/render/widget_tabbedcontainer_tab_panel endpoint
- Restrict network access to vBulletin installation to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check vBulletin version in admin panel or via version.txt file in installation directoryCheck Version:
cat /path/to/vbulletin/version.txtVerify Fix Applied:
Verify version is 5.6.3 or later and test that ajax/render/widget_tabbedcontainer_tab_panel endpoint properly validates input📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to ajax/render/widget_tabbedcontainer_tab_panel
- PHP code execution attempts in web logs
- Suspicious subWidgets parameter values
Network Indicators:
- POST requests to /ajax/render/widget_tabbedcontainer_tab_panel with encoded payloads
- Outbound connections from web server to suspicious IPs
SIEM Query:
source="web_logs" AND uri="/ajax/render/widget_tabbedcontainer_tab_panel" AND (subWidgets="*" OR method="POST")🔗 References
- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
- https://github.com/rapid7/metasploit-framework/pull/13970
- https://seclists.org/fulldisclosure/2020/Aug/5
- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
- https://github.com/rapid7/metasploit-framework/pull/13970
- https://seclists.org/fulldisclosure/2020/Aug/5
