CVE-2025-48828
published 2025-05-27CVE-2025-48828: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template…
PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
48.36%
98.7th percentile
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlajax/render/ad_
commandpassthru($_POST[])
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_48827, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Monitor for POST requests to the /ajax/api/ad/replaceAdTemplate endpoint — this is the primary exploitation vector for unauthenticated RCE. No authentication is required. ↗
- →Detect the two-stage exploit chain: first POST to ajax/api/ad/replaceAdTemplate injecting a malicious template, followed by a second POST to ajax/render/ad_<name> to trigger execution.
- →Inspect POST body for template parameter containing vBulletin conditional tags (e.g., <vb:if condition=) combined with PHP function invocation syntax such as "var_dump"("test") or "system"($_POST[]) to detect bypass of unsafe-function filters. ↗
- →The Emergent Threats Snort rule (sid:2062621) uses a PCRE to match URL-encoded or literal <vb:if condition= patterns in the POST body of requests to /ajax/api/ad/replaceAdTemplate — deploy this rule at perimeter and internal sensors.
- →Attackers were observed attempting to deploy PHP backdoors to execute system commands — hunt for newly created PHP files in web-accessible directories following exploitation attempts. ↗
- →Nuclei templates for this CVE have been available since May 24, 2025 — expect automated scanning at scale. Correlate spikes in POST requests to vBulletin AJAX endpoints with this date. ↗
- →The vulnerability only manifests on PHP 8.1 or later due to Reflection API behavioral changes — scope detection and patching efforts to vBulletin instances running PHP 8.1+. ↗
- ·The vulnerability is only exploitable on PHP 8.1 or later. Instances running older PHP versions are not affected by this specific attack chain. ↗
- ·Active exploitation observed (CVE-2025-48827 endpoint access confirmed in honeypots) but full RCE chain (CVE-2025-48828) has not yet been confirmed as successfully chained in the wild as of reporting date. ↗
- ·The Nuclei detection template uses a max-request of 1 and checks for a two-step interaction; the second request to ajax/render/ad_<rand_string> is required to confirm RCE — single-request detections may miss the full chain.
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-58pj-rcxg-3vhg: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine
ghsa_unreviewed·2025-05-27
CVE-2025-48828 [CRITICAL] CWE-424 GHSA-58pj-rcxg-3vhg: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code.
VulnCheck
vBulletin vBulletin Improper Protection of Alternate Path
vulncheck·2025·CVSS 9.0
CVE-2025-48828 [CRITICAL] vBulletin vBulletin Improper Protection of Alternate Path
vBulletin vBulletin Improper Protection of Alternate Path
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/; https://www.cve.org/CVERecord?id=CVE-2025-48828; https://isc.sans.edu/diary/rss/32006; https://falconfeeds.io
VulnCheck
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
vulncheck·2009·CVSS 7.8
CVE-2009-1862 [HIGH] CWE-94 Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service (DoS).
Affected: Adobe Acrobat and Reader, Flash Player
Required Action: For Adobe Acrobat and Reader, apply updates per vendor instructions. For Adobe Flash Player, the impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2009-1862; https://www.zscaler.com/blogs/security-research/wild-flash-exploit-analysis-part-1; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://threatprotect.qualys
Suricata
ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
suricata·2025-05-29·CVSS 10.0
CVE-2025-48828 [CRITICAL] ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS vBulletin replaceAdTemplate Pre-Auth RCE (CVE-2025-48828 & CVE-2025-48827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/api/ad/replaceAdTemplate"; fast_pattern; http.request_body; content:"template|3d|"; pcre:"/^[^\x26]*?(?:\x3c|\x253[cC])vb(?:\x3a|\x253[aA])if(?:\x20|\x2520)condition\x3d/R"; reference:url,karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce; reference:cve,2025-48828; reference:cve,2025-48827; classtype:web-application-attack; sid:2062621; rev:1; metadata:affected_product vBulletin, attack_target Server, created_at 2025_05_29, cve CVE_2025_48828_CVE_2025_4882
Nuclei
vBulletin replaceAdTemplate - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-48828 [CRITICAL] vBulletin replaceAdTemplate - Remote Code Execution
vBulletin replaceAdTemplate - Remote Code Execution
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted conditional that executes arbitrary PHP code via passthru($_POST[]), and triggering it with a second request to ajax/render/ad_, attackers can run arbitrary commands on the server as the webserver user.
Template:
id: CVE-2025-48828
info:
name: vBulletin replaceAdTemplate - Remote Code Execution
author: DhiyaneshDK, Chocapikk
severity: critical
description: |
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerabil
Metasploit
vBulletin replaceAdTemplate Remote Code Execution
metasploit
vBulletin replaceAdTemplate Remote Code Execution
vBulletin replaceAdTemplate Remote Code Execution
This module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, present in versions 5.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers to invoke protected controller methods via the ajax/api/ad/replaceAdTemplate endpoint, due to improper use of PHP's Reflection API in combination with changes in PHP 8.1+. Specifically, it targets the vB_Api_Ad::replaceAdTemplate() method to inject a template containing a conditional that evaluates attacker-supplied PHP using the "system"($_POST[]) construct. The malicious template is then executed via a second unauthenticated request to ajax/render/ad_. Successful exploitation results in arbitrary command execution as the webserver user, without authen
Bleepingcomputer
Hackers are exploiting critical flaw in vBulletin forum software
blogs_bleepingcomputer·2025-05-30·CVSS 10.0
CVE-2025-48827 [CRITICAL] Hackers are exploiting critical flaw in vBulletin forum software
## Hackers are exploiting critical flaw in vBulletin forum software
## Bill Toulas
Two critical vulnerabilities affecting the open-source forum software vBulletin have been discovered, with one confirmed to be actively exploited in the wild.
The flaws, tracked under CVE-2025-48827 and CVE-2025-48828 , and rated critical (CVSS v3 score: 10.0 and 9.0 respectively), are an API method invocation and a remote code execution (RCE) via template engine abuse flaws.
They impact vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the platform runs on PHP 8.1 or later.
The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch, and version 5.7.5 Patch Level 3, but many sites remained exposed due to not up
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-27
Published
Exploited in the wild