Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2020-12720 vBulletin incorrect access control

Disclosure Date: May 08, 2020
Exploited in the Wild
Reported by ccondon-r7
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

General Information

Technical Analysis