Detection Content: CVE-2019-16759 exploitation with new method

Today, we would like to put a notice about the CVE-2019-16759 vulnerability in vBulletin, the most extensively used forum software, observed for version 5 and higher.

The vulnerability affords hackers an opportunity to run remote commands via the widgetConfig[code] parameter in an HTTP POST request and depending on the user’s permissions in vBulletin, receive control over the host.

The CVE-2019-16759 was reported patched in September 2019, however, a remote code execution appears to be still in active use of fraudsters for exploitation attempts. Forum admins were advised to check the vBulletin control panel and turn off PHP widgets. Some of the 5.6.x versions of the software already received new patches earlier this week, the earlier versions of vBulletin are considered vulnerable and need to be upgraded.

Halil Ibrahim Cosgun, an active member of SOC Prime Threat Bounty Developer program, has published Sigma rule for vBulletin v5.x RCE (CVE-2019-16759 exploitation with new method):

https://tdm.socprime.com/tdm/info/8xfRloY1Ptce/5gbp4XMBQAH5UgbBNVNc/

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, CrowdStrike, Elastic Endpoint

MITRE ATT&CK:

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

Explore more Rules at Threat Detection Marketplace published by Halil Ibrahim Cosgun.


Ready to try out SOC Prime TDM? Sign up for free.

Or join Threat Bounty Program to craft your own content and share it with the TDM community.