cbcvebase.
CVE-2025-48827
published 2025-05-27

CVE-2025-48827: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
69.65%
99.3th percentile
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Affected

2 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin5.0.0 – 5.7.5
vbulletinvbulletin6.0.0 – 6.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/api/ad/replaceAdTemplate
url/ajax/api/ad/wrapAdTemplate
pathajax/api/ad/replaceAdTemplate
pathajax/render/ad_
url/api.php?method=protectedMethod
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_48827, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor for unauthenticated POST requests to /ajax/api/ad/replaceAdTemplate — this is the primary exploitation endpoint observed in honeypot logs during active in-the-wild attacks in May 2025.
  • Detect two-stage exploitation: first a POST to ajax/api/ad/replaceAdTemplate injecting a malicious template, followed by a second unauthenticated GET/POST to ajax/render/ad_<name> to trigger execution.
  • Inspect POST body for template parameter containing vBulletin template conditional injection patterns (e.g., <vb:if condition=) — the Snort PCRE targets URL-encoded variants as well (\x253c for <, \x253a for :).
  • Attackers were observed attempting to deploy PHP backdoors to execute system commands; look for web shell creation events under the web server document root following exploitation of this endpoint.
  • Nuclei templates for this CVE were publicly available from May 24, 2025 — expect automated scanning activity; correlate high-volume unauthenticated POST requests to vBulletin AJAX endpoints.
  • The Metasploit module targets vBulletin 5.1.0, 5.7.5, 6.0.1, and 6.0.3 on PHP 8.1+; use version fingerprinting to prioritize alerting on these specific version/runtime combinations.
  • ·The vulnerability only manifests on PHP 8.1 or later due to a behavioral change in ReflectionMethod::invoke(); vBulletin instances running on PHP 8.0 or earlier are NOT affected by this specific bypass.
  • ·The flaw was likely silently patched in vBulletin 6.x Patch Level 1 and 5.7.5 Patch Level 3 before public disclosure; many sites remained exposed due to not applying these patch levels.
  • ·Active exploitation confirmed only for CVE-2025-48827 (auth bypass / protected method invocation); full RCE chain to CVE-2025-48828 had not been confirmed in the wild at time of reporting, though considered highly likely.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.