CVE-2025-48827

CRITICAL EXPLOITED NUCLEI

vBulletin <6.0.3 - RCE

Title source: llm

Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Exploits (4)

nomisec WORKING POC 11 stars

by 0xgh057r3c0n · remote

https://github.com/0xgh057r3c0n/CVE-2025-48827

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by SystemVll · remote

https://github.com/SystemVll/CVE-2025-48827

View Code ZIP pw:eip

nomisec WORKING POC

by wiseep · remote

https://github.com/wiseep/CVE-2025-48827

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Egidio Romano (EgiX), Valentin Lobstein · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

vBulletin 5.0.0-6.0.3 - Authentication Bypass

CRITICALVERIFIEDby pszyszkowski

Shodan: http.component:"vBulletin"

FOFA: app="vBulletin"

References (3)

[Exploit, Third Party Advisory] https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

[Third Party Advisory] https://kevintel.com/CVE-2025-48827

[Broken Link] https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

Scores

CVSS v3 10.0

EPSS 0.7763

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2025-05-26

CWE

CWE-424

Status published

Products (1)

vbulletin/vbulletin 5.0.0 - 5.7.5

Published May 27, 2025

Tracked Since Feb 18, 2026