CVE-2025-48827

CRITICAL EXPLOITED NUCLEI

vBulletin 5.0.0-5.7.5 and 6.0.0-6.0.3 - Unauthenticated API Controller Method Invocation

Title source: llm

Exploitation Summary

CVE-2025-48827 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including 0xgh057r3c0n, SystemVll, wiseep, including a Metasploit module exploits/multi/http/vbulletin_replace_ad_template_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-48827, targeting vBulletin's ajax/api/ad/replaceAdTemplate endpoint. The exploit leverages improper PHP Reflection API usage to inject a malicious template, enabling unauthenticated RCE via crafted <vb:if> conditionals and subsequent command execution through ajax/render/ad_<location>.

Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Exploits (4)

nomisec WORKING POC 11 stars

by 0xgh057r3c0n · remote

https://github.com/0xgh057r3c0n/CVE-2025-48827

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-48827, targeting vBulletin's ajax/api/ad/replaceAdTemplate endpoint. The exploit leverages improper PHP Reflection API usage to inject a malicious template, enabling unauthenticated RCE via crafted <vb:if> conditionals and subsequent command execution through ajax/render/ad_<location>.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.0 through 6.0.3

No auth needed

Prerequisites: Target running vulnerable vBulletin version · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by SystemVll · remote

https://github.com/SystemVll/CVE-2025-48827

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2025-48827, an authentication bypass vulnerability in vBulletin 5.0.0–5.7.5 and 6.0.0–6.0.3 running on PHP 8.1+. The exploit sends a crafted request to the `/ajax/api/ad/wrapAdTemplate` endpoint to confirm vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.0–5.7.5, 6.0.0–6.0.3

No auth needed

Prerequisites: Target running vulnerable vBulletin version on PHP 8.1+ · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by wiseep · remote

https://github.com/wiseep/CVE-2025-48827

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-48827, targeting vBulletin versions 5.0.0-5.7.5 and 6.0.0-6.0.3 with PHP 8.1. The exploit automates detection, RCE testing, and shell upload via a crafted template injection in the 'ajax/api/ad/replaceAdTemplate' endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.0-5.7.5, 6.0.0-6.0.3

No auth needed

Prerequisites: Target running vulnerable vBulletin version · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Egidio Romano (EgiX), Valentin Lobstein · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, allowing unauthenticated attackers to execute arbitrary commands via template injection and reflection API misuse. It targets versions 5.0.0 through 6.0.3, leveraging PHP 8.1+ behaviors to achieve RCE.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.0-6.0.3

No auth needed

Prerequisites: vBulletin installation with vulnerable AJAX API endpoint · PHP 8.1+ environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

Nuclei Templates (1)

vBulletin 5.0.0-6.0.3 - Authentication Bypass

CRITICALVERIFIEDby pszyszkowski

Shodan: http.component:"vBulletin"

FOFA: app="vBulletin"

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Third Party Advisory

https://kevintel.com/CVE-2025-48827

Broken Link

https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

Scores

CVSS v3 10.0

EPSS 0.7763

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-05-26

CWE

CWE-424

Status published

Products (1)

vbulletin/vbulletin 5.0.0 - 5.7.5

Published May 27, 2025

Tracked Since Feb 18, 2026