cbcvebase.
CVE-2025-48828
published 2025-05-27

CVE-2025-48828: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template…

PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
48.36%
98.7th percentile
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Affected

1 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

urlajax/api/ad/replaceAdTemplate
urlajax/render/ad_
commandpassthru($_POST[])
command"system"($_POST[])
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_48827, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor for POST requests to the /ajax/api/ad/replaceAdTemplate endpoint — this is the primary exploitation vector for unauthenticated RCE. No authentication is required.
  • Detect the two-stage exploit chain: first POST to ajax/api/ad/replaceAdTemplate injecting a malicious template, followed by a second POST to ajax/render/ad_<name> to trigger execution.
  • Inspect POST body for template parameter containing vBulletin conditional tags (e.g., <vb:if condition=) combined with PHP function invocation syntax such as "var_dump"("test") or "system"($_POST[]) to detect bypass of unsafe-function filters.
  • The Emergent Threats Snort rule (sid:2062621) uses a PCRE to match URL-encoded or literal <vb:if condition= patterns in the POST body of requests to /ajax/api/ad/replaceAdTemplate — deploy this rule at perimeter and internal sensors.
  • Attackers were observed attempting to deploy PHP backdoors to execute system commands — hunt for newly created PHP files in web-accessible directories following exploitation attempts.
  • Nuclei templates for this CVE have been available since May 24, 2025 — expect automated scanning at scale. Correlate spikes in POST requests to vBulletin AJAX endpoints with this date.
  • The vulnerability only manifests on PHP 8.1 or later due to Reflection API behavioral changes — scope detection and patching efforts to vBulletin instances running PHP 8.1+.
  • ·The vulnerability is only exploitable on PHP 8.1 or later. Instances running older PHP versions are not affected by this specific attack chain.
  • ·Active exploitation observed (CVE-2025-48827 endpoint access confirmed in honeypots) but full RCE chain (CVE-2025-48828) has not yet been confirmed as successfully chained in the wild as of reporting date.
  • ·The Nuclei detection template uses a max-request of 1 and checks for a two-step interaction; the second request to ajax/render/ad_<rand_string> is required to confirm RCE — single-request detections may miss the full chain.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.