Threat Actors Actively Exploiting Critical vBulletin Vulnerability in the Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical, unauthenticated remote code execution vulnerability in vBulletin forum software is now being actively exploited.
The vulnerability, which impacts vBulletin versions 5.0.0 through 6.0.3, has been assigned CVE-2025-48827 and CVE-2025-48828 and is now being actively targeted by threat actors, marking it as a Known Exploited Vulnerability (KEV).
Despite patches being available for over a year, numerous installations remain vulnerable, creating an attractive target for malicious actors seeking to compromise web forums.
vBulletin Remote Code Execution Flaw
The vulnerability centers around the replaceAdTemplate functionality in vBulletin’s AJAX API endpoint, specifically targeting the path ajax/api/ad/replaceAdTemplate.
This unauthenticated remote code execution (RCE) flaw allows attackers to execute arbitrary commands on vulnerable servers without requiring any authentication credentials.
The vulnerability was originally disclosed by Karma(In)Security on May 23, 2025, complete with a proof-of-concept (PoC) exploit.
The technical implementation of the exploit involves injecting malicious vBulletin template syntax into HTTP POST requests.
The payload structure utilizes vBulletin’s conditional template system, with attackers leveraging the following code pattern:
This payload effectively creates a backdoor mechanism that allows remote command execution through the passthru() PHP function, enabling attackers to execute system commands on the underlying server infrastructure.
Organizations running unpatched versions face significant risk, as the vulnerability affects a broad range of vBulletin installations.
The patched versions include vBulletin 6.0.3 Patch Level 1, vBulletin 6.0.2 Patch Level 1, vBulletin 6.0.1 Patch Level 1, and vBulletin 5.7.5 Patch Level 3. The current secure version is vBulletin 6.1.1, which remains unaffected by this vulnerability.
CVEs Affected Products Impact Exploit Prerequisites CVSS 3.1 Score CVE-2025-48827
CVE-2025-48828vBulletin 5.0.0 – 6.0.3 (unpatched versions)Remote Code Execution (RCE)Unauthenticated access to vulnerable endpoint9.8 (Critical)
Active Exploitation
Cybersecurity researcher Ryan Dewhurst has documented concrete evidence of threat actors exploiting this vulnerability in production environments.
Honeypot data analysis revealed multiple exploitation attempts originating from IP address 195.3.221.137, based in Poland.
The attacks were first detected on May 26, 2025, with four distinct exploitation attempts recorded between 08:23:28.193 UTC and 08:24:33.429 UTC.
The attackers employed a standardized approach, utilizing a User-Agent header that mimics legitimate browser traffic:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36.
This obfuscation technique helps the malicious requests blend in with normal web traffic, making detection more challenging for security monitoring systems.
Additional confirmation comes from the SANS Internet Storm Center dshield logs, which documented reconnaissance probes targeting the vulnerable endpoint beginning May 25, 2025.
The rapid progression from vulnerability disclosure to active exploitation demonstrates the speed at which threat actors can weaponize publicly available security research, particularly when Nuclei templates become available for automated scanning tools.
The initial patch was released by vBulletin on April 1, 2024, more than a year before public disclosure.
However, the vulnerability remained dormant until Karma(In)Security published their research on May 23, 2025, followed immediately by the creation of automated exploitation tools.
The rapid escalation included a Nuclei template release, enabling automated vulnerability scanning across internet-facing vBulletin installations.
Within 48 hours, security researchers observed both reconnaissance activities and active exploitation attempts, highlighting the critical importance of timely patch management for web-facing applications.
Organizations should immediately audit their vBulletin installations and apply available security updates to prevent compromise.
#Cyber_Security #Cyber_Security_News #Threats #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Threat Actors Actively Exploiting Critical vBulletin Vulnerability in the Wild
Author: KaaviyaA critical, unauthenticated remote code execution vulnerability in vBulletin forum software is now being actively exploited.
The vulnerability, which impacts vBulletin versions 5.0.0 through 6.0.3, has been assigned CVE-2025-48827 and CVE-2025-48828 and is now being actively targeted by threat actors, marking it as a Known Exploited Vulnerability (KEV).
Despite patches being available for over a year, numerous installations remain vulnerable, creating an attractive target for malicious actors seeking to compromise web forums.
vBulletin Remote Code Execution Flaw
The vulnerability centers around the replaceAdTemplate functionality in vBulletin’s AJAX API endpoint, specifically targeting the path ajax/api/ad/replaceAdTemplate.
This unauthenticated remote code execution (RCE) flaw allows attackers to execute arbitrary commands on vulnerable servers without requiring any authentication credentials.
The vulnerability was originally disclosed by Karma(In)Security on May 23, 2025, complete with a proof-of-concept (PoC) exploit.
The technical implementation of the exploit involves injecting malicious vBulletin template syntax into HTTP POST requests.
The payload structure utilizes vBulletin’s conditional template system, with attackers leveraging the following code pattern:
This payload effectively creates a backdoor mechanism that allows remote command execution through the passthru() PHP function, enabling attackers to execute system commands on the underlying server infrastructure.
Organizations running unpatched versions face significant risk, as the vulnerability affects a broad range of vBulletin installations.
The patched versions include vBulletin 6.0.3 Patch Level 1, vBulletin 6.0.2 Patch Level 1, vBulletin 6.0.1 Patch Level 1, and vBulletin 5.7.5 Patch Level 3. The current secure version is vBulletin 6.1.1, which remains unaffected by this vulnerability.
CVEs Affected Products Impact Exploit Prerequisites CVSS 3.1 Score CVE-2025-48827
CVE-2025-48828vBulletin 5.0.0 – 6.0.3 (unpatched versions)Remote Code Execution (RCE)Unauthenticated access to vulnerable endpoint9.8 (Critical)
Active Exploitation
Cybersecurity researcher Ryan Dewhurst has documented concrete evidence of threat actors exploiting this vulnerability in production environments.
Honeypot data analysis revealed multiple exploitation attempts originating from IP address 195.3.221.137, based in Poland.
The attacks were first detected on May 26, 2025, with four distinct exploitation attempts recorded between 08:23:28.193 UTC and 08:24:33.429 UTC.
The attackers employed a standardized approach, utilizing a User-Agent header that mimics legitimate browser traffic:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36.
This obfuscation technique helps the malicious requests blend in with normal web traffic, making detection more challenging for security monitoring systems.
Additional confirmation comes from the SANS Internet Storm Center dshield logs, which documented reconnaissance probes targeting the vulnerable endpoint beginning May 25, 2025.
The rapid progression from vulnerability disclosure to active exploitation demonstrates the speed at which threat actors can weaponize publicly available security research, particularly when Nuclei templates become available for automated scanning tools.
The initial patch was released by vBulletin on April 1, 2024, more than a year before public disclosure.
However, the vulnerability remained dormant until Karma(In)Security published their research on May 23, 2025, followed immediately by the creation of automated exploitation tools.
The rapid escalation included a Nuclei template release, enabling automated vulnerability scanning across internet-facing vBulletin installations.
Within 48 hours, security researchers observed both reconnaissance activities and active exploitation attempts, highlighting the critical importance of timely patch management for web-facing applications.
Organizations should immediately audit their vBulletin installations and apply available security updates to prevent compromise.
#Cyber_Security #Cyber_Security_News #Threats #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
