CVE-2025-48828

CRITICAL EXPLOITED NUCLEI

vBulletin Template Conditionals - PHP Code Execution

Title source: manual

Exploitation Summary

CVE-2025-48828 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including ill-deed, Egidio Romano (EgiX), Valentin Lobstein, including a Metasploit module exploits/multi/http/vbulletin_replace_ad_template_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python scanner/exploit for CVE-2025-48828, an unauthenticated RCE vulnerability in vBulletin via the `replaceAdTemplate` endpoint. The script automates template injection and command execution, confirming vulnerability by executing the `id` command.

Description

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Exploits (2)

nomisec WORKING POC

by ill-deed · remote

https://github.com/ill-deed/vBulletin-CVE-2025-48828-Multi-target

View Code ZIP pw:eip

This repository contains a functional Python scanner/exploit for CVE-2025-48828, an unauthenticated RCE vulnerability in vBulletin via the `replaceAdTemplate` endpoint. The script automates template injection and command execution, confirming vulnerability by executing the `id` command.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin (versions using ajax/api/ad/replaceAdTemplate)

No auth needed

Prerequisites: Target must be running vulnerable vBulletin version · Access to the `ajax/api/ad/replaceAdTemplate` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Egidio Romano (EgiX), Valentin Lobstein · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, allowing unauthenticated RCE via template injection and PHP code execution. It targets versions 5.0.0 through 6.0.3 by leveraging PHP's Reflection API and PHP 8.1+ changes.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.0.0 to 6.0.3

No auth needed

Prerequisites: vBulletin instance with vulnerable version · PHP 8.1+ environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

vBulletin replaceAdTemplate - Remote Code Execution

CRITICALVERIFIEDby DhiyaneshDK, Chocapikk

Shodan: http.component:"vBulletin"

FOFA: app="vBulletin"

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Third Party Advisory

https://kevintel.com/CVE-2025-48828

Broken Link

https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

Scores

CVSS v3 9.0

EPSS 0.7368

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-05-26

CWE

CWE-424

Status published

Products (1)

vbulletin/vbulletin 6.0.3

Published May 27, 2025

Tracked Since Feb 18, 2026