A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild. A zero-day proof-of-concept code was anonymously published on Securelist this week. The fix is for versions 5.2, 5.5.3 and 5.4; users on earlier versions will need to update to one of the currently supported versions in order to apply the patch. An unauthenticated attacker can exploit the issue by sending a specially crafted HTTP POST request to a vulnerable host and execute commands.
Source: https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/