vBulletin replaceAdTemplate - Remote Code Execution

Short Info

Level

Critical

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

1 week 7 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted conditional that executes arbitrary PHP code via passthru($_POST[]), and triggering it with a second request to ajax/render/ad_, attackers can run arbitrary commands on the server as the webserver user.

References:

https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
https://nvd.nist.gov/vuln/detail/CVE-2025-48827
https://nvd.nist.gov/vuln/detail/CVE-2025-48828

Remediation:
Upgrade to vBulletin 6.0.4+ and apply the official patch to restrict access to protected controller methods and secure the ajax/api/ad/replaceAdTemplate endpoint.

Get started to protecting your digital assets

Start trial See the plans

vBulletin replaceAdTemplate - Remote Code Execution

Short Info

-

Detail

Category