CVE-2015-7808

EXPLOITED IN THE WILD

vBulletin 5 Connect <5.1.9 - Code Injection

Title source: llm

Exploitation Summary

CVE-2015-7808 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including Mohammad Reza Espargham, hhjj, Metasploit, including a Metasploit module exploits/multi/http/vbulletin_unserialize.

AI-analyzed exploit summary This exploit leverages a PHP object injection vulnerability in vBulletin 5.x via the `/ajax/api/hook/decodeArguments` endpoint. It achieves remote code execution by manipulating serialized objects to execute arbitrary system commands.

Description

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Mohammad Reza Espargham · perlwebappsphp

https://www.exploit-db.com/exploits/38790

View Code ZIP pw:eip

This exploit leverages a PHP object injection vulnerability in vBulletin 5.x via the `/ajax/api/hook/decodeArguments` endpoint. It achieves remote code execution by manipulating serialized objects to execute arbitrary system commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.x

No auth needed

Prerequisites: Target must be running vBulletin 5.x with the vulnerable endpoint exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by hhjj · textwebappsphp

https://www.exploit-db.com/exploits/38629

View Code ZIP pw:eip

This exploit leverages a PHP object injection vulnerability in vBulletin 5.1.x via the `decodeArguments` endpoint. It constructs a serialized payload that triggers the `__destruct` method of `vB_dB_Result`, leading to arbitrary method execution (e.g., `phpinfo`).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.1.x

No auth needed

Prerequisites: Access to the `/ajax/api/hook/decodeArguments` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/48761

View Code ZIP pw:eip

This Metasploit module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 via deserialization in the 'ajax/api/hook/decodeArguments' endpoint. It leverages the 'vB_dB_Result' class to execute arbitrary PHP code through the 'assert' function.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.X to 5.1.9

No auth needed

Prerequisites: vBulletin instance with vulnerable version · network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Prajithp · remote

https://github.com/Prajithp/CVE-2015-7808

View Code ZIP pw:eip

This repository contains a functional Perl exploit for CVE-2015-7808, a pre-authentication PHP object injection vulnerability in vBulletin. The exploit leverages unsafe deserialization in the `vB_dB_Result` class to execute arbitrary commands via the `assert` function.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin (versions affected by CVE-2015-7808)

No auth needed

Prerequisites: Target must be running a vulnerable version of vBulletin · Perl environment to execute the script

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Netanel Rubin, cutz, Julien (jvoisin) Voisin · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_unserialize.rb

View Code ZIP pw:eip

This Metasploit module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 via unsafe unserialize in the 'decodeArguments' endpoint. It chains gadgets to achieve remote code execution by leveraging the 'vB_dB_Result' and 'vB_Database' classes.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.X - 5.1.X

No auth needed

Prerequisites: Target running vulnerable vBulletin version · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/38629/

Exploit x_refsource_misc

http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq

Exploit x_refsource_misc

http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.html

Exploit x_refsource_misc

https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html

Exploit x_refsource_misc

http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/

Exploit x_refsource_misc

http://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize

Scores

EPSS 0.7904

EPSS Percentile 99.1%

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-20

Status published

Products (16)

vbulletin/vbulletin 5.0.0

vbulletin/vbulletin 5.0.1

vbulletin/vbulletin 5.0.2

vbulletin/vbulletin 5.0.3

vbulletin/vbulletin 5.0.4

vbulletin/vbulletin 5.0.5

vbulletin/vbulletin 5.1.0 (2 CPE variants)

vbulletin/vbulletin 5.1.1

vbulletin/vbulletin 5.1.2 (4 CPE variants)

vbulletin/vbulletin 5.1.3 (2 CPE variants)

... and 6 more

Published Nov 24, 2015

Tracked Since Feb 18, 2026