Three separate proof-of-concepts on Bash, Python and Ruby posted to outsmart fix issued last year to remedy pre-auth RCE bug. Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms. A patch was issued two days later, Sept. 25, 2019, that seemed, at the time, to fix the proof of concept exploit provided by the un-named finder, he said.
Source: https://threatpost.com/researcher-publishes-bypass-for-patch-for-vbulletin-0-day-flaw/158232/