If you’re using vBulletin to power your online forum(s), you should implement the newest security patches offered by the developers as soon as possible.
The patches fix CVE-2020-12720, a vulnerability affecting versions 5.5.6, 5.6.0 and 5.6.1 with could be exploited without previous authentication.
CVE-2020-12720 has been defined as an incorrect access control issue, but no additional information has been shared.
Charles Fol, a security engineer at Ambionics Security, discovered and reported the “critical” vulnerability and will be sharing details about it in early June at the SSTIC infosec conference.
In the meantime, security researchers have been analyzing the changes made to the software’s code with the latest updates and trying to discover more about the fixed flaw(s).
I'm diffing the changes for CVE-2020-12720 in vBulletin 5.6.1 vs 5.6.1 PL1 and while the CVE is marked as an "incorrect access control" vulnerability all I currently see is 2 fixes for SQLi vulns. 1/5https://t.co/DTz6KG8tky
— Amir Etemadieh (@Zenofex) May 9, 2020
You can be sure that malicious actors are trying to do that as well. If they succeed in creating a working exploit, nothing will stop them from mounting attacks.
The last time a critical vBulletin flaw and an exploit for it were released to the public, attackers started actively targeting vBulletin-based online forums right away.
This time, users are lucky to get an early warning and can implement the patches before the attacks start.