CVE-2025-48827
published 2025-05-27CVE-2025-48827: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
69.65%
99.3th percentile
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | 5.0.0 – 5.7.5 | — |
| vbulletin | vbulletin | 6.0.0 – 6.0.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ajax/api/ad/wrapAdTemplate
pathajax/api/ad/replaceAdTemplate
pathajax/render/ad_
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_48827, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Monitor for unauthenticated POST requests to /ajax/api/ad/replaceAdTemplate — this is the primary exploitation endpoint observed in honeypot logs during active in-the-wild attacks in May 2025. ↗
- →Detect two-stage exploitation: first a POST to ajax/api/ad/replaceAdTemplate injecting a malicious template, followed by a second unauthenticated GET/POST to ajax/render/ad_<name> to trigger execution.
- →Inspect POST body for template parameter containing vBulletin template conditional injection patterns (e.g., <vb:if condition=) — the Snort PCRE targets URL-encoded variants as well (\x253c for <, \x253a for :).
- →Attackers were observed attempting to deploy PHP backdoors to execute system commands; look for web shell creation events under the web server document root following exploitation of this endpoint. ↗
- →Nuclei templates for this CVE were publicly available from May 24, 2025 — expect automated scanning activity; correlate high-volume unauthenticated POST requests to vBulletin AJAX endpoints. ↗
- →The Metasploit module targets vBulletin 5.1.0, 5.7.5, 6.0.1, and 6.0.3 on PHP 8.1+; use version fingerprinting to prioritize alerting on these specific version/runtime combinations. ↗
- ·The vulnerability only manifests on PHP 8.1 or later due to a behavioral change in ReflectionMethod::invoke(); vBulletin instances running on PHP 8.0 or earlier are NOT affected by this specific bypass. ↗
- ·The flaw was likely silently patched in vBulletin 6.x Patch Level 1 and 5.7.5 Patch Level 3 before public disclosure; many sites remained exposed due to not applying these patch levels. ↗
- ·Active exploitation confirmed only for CVE-2025-48827 (auth bypass / protected method invocation); full RCE chain to CVE-2025-48828 had not been confirmed in the wild at time of reporting, though considered highly likely. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-23fp-mrfv-cwv4: vBulletin 5
ghsa_unreviewed·2025-05-27
CVE-2025-48827 [CRITICAL] CWE-424 GHSA-23fp-mrfv-cwv4: vBulletin 5
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern.
VulnCheck
vBulletin vBulletin Improper Protection of Alternate Path
vulncheck·2025·CVSS 10.0
CVE-2025-48827 [CRITICAL] vBulletin vBulletin Improper Protection of Alternate Path
vBulletin vBulletin Improper Protection of Alternate Path
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/; https://www.cve.org/CVERecord?id=CVE-2025-48827; https://isc.sans.edu/diary/rss/32006; https://cyble.com/blog/weekly-cyble-vulnerability-blog/; https://falconfeeds.io/blogs/unmasking-handala-iran-cyber-t
VulnCheck
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
vulncheck·2009·CVSS 7.8
CVE-2009-1862 [HIGH] CWE-94 Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service (DoS).
Affected: Adobe Acrobat and Reader, Flash Player
Required Action: For Adobe Acrobat and Reader, apply updates per vendor instructions. For Adobe Flash Player, the impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2009-1862; https://www.zscaler.com/blogs/security-research/wild-flash-exploit-analysis-part-1; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://threatprotect.qualys
Suricata
ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
suricata·2025-05-29·CVSS 10.0
CVE-2025-48828 [CRITICAL] ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_4882
Nuclei
vBulletin 5.0.0-6.0.3 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-48827 [CRITICAL] vBulletin 5.0.0-6.0.3 - Authentication Bypass
vBulletin 5.0.0-6.0.3 - Authentication Bypass
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.
Template:
id: CVE-2025-48827
info:
name: vBulletin 5.0.0-6.0.3 - Authentication Bypass
author: pszyszkowski
severity: critical
description: |
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers o
Nuclei
vBulletin replaceAdTemplate - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-48828 [CRITICAL] vBulletin replaceAdTemplate - Remote Code Execution
vBulletin replaceAdTemplate - Remote Code Execution
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted conditional that executes arbitrary PHP code via passthru($_POST[]), and triggering it with a second request to ajax/render/ad_, attackers can run arbitrary commands on the server as the webserver user.
Template:
id: CVE-2025-48828
info:
name: vBulletin replaceAdTemplate - Remote Code Execution
author: DhiyaneshDK, Chocapikk
severity: critical
description: |
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerabil
Metasploit
vBulletin replaceAdTemplate Remote Code Execution
metasploit
vBulletin replaceAdTemplate Remote Code Execution
vBulletin replaceAdTemplate Remote Code Execution
This module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, present in versions 5.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers to invoke protected controller methods via the ajax/api/ad/replaceAdTemplate endpoint, due to improper use of PHP's Reflection API in combination with changes in PHP 8.1+. Specifically, it targets the vB_Api_Ad::replaceAdTemplate() method to inject a template containing a conditional that evaluates attacker-supplied PHP using the "system"($_POST[]) construct. The malicious template is then executed via a second unauthenticated request to ajax/render/ad_. Successful exploitation results in arbitrary command execution as the webserver user, without authen
2025-05-27
Published
Exploited in the wild