The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.
The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:
A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete – within three hours https://t.co/LwbPuEoL5b was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched! https://t.co/7JtmEzcTFG pic.twitter.com/R4AcCoZt1B
— Jeff ..
Support the originator by clicking the read the rest link below.
