Two serious vulnerabilities impacting vBulletin software versions 5.6.0 through 5.6.9 are currently under active exploit. Users of the affected versions are strongly advised to apply the available security updates immediately to protect their systems.
One of the discovered issues, tracked as CVE-2023-25136, is a zero-day SQL injection vulnerability. This flaw can potentially allow an attacker to access sensitive data if the affected vBulletin installation is configured with ImageMagick enabled. A security researcher reported this vulnerability, and it is confirmed to be actively leveraged in real-world attacks.
The second vulnerability, identified as CVE-2023-25135, is even more critical. It is an unauthenticated remote code execution (RCE) vulnerability. This means an attacker could potentially execute arbitrary code on the server running vBulletin without needing any authentication. This flaw is highly dangerous as it could lead to a complete compromise of the affected website or server. Like the SQL injection flaw, this RCE vulnerability is also being actively exploited.
Given that both vulnerabilities are being actively exploited in the wild, the risk to unpatched vBulletin installations is significant. The software vendor has released security patches to address these issues.
The recommended action for anyone using vBulletin versions 5.6.0 through 5.6.9 is to upgrade to vBulletin version 5.6.10 or a later version as soon as possible. Applying this patch is essential to close the security gaps created by these critical vulnerabilities and prevent potential compromise. Organizations and individuals relying on vBulletin should prioritize this update to safeguard their data and infrastructure.
Source: https://securityaffairs.com/178481/security/two-flaws-in-vbulletin-forum-software-are-under-attack.html
