Unauthenticated protected API method invocation in vBulletin on PHP 8.1+
CVE-2025-48827 affects vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when deployed on PHP 8.1 or later. Due to misuse of PHP's Reflection API in combination with behavior changes introduced in PHP 8.1, unauthenticated attackers can invoke protected API controller methods that should not be externally reachable. The issue is exposed through request patterns such as /api.php?method=protectedMethod and has also been observed against endpoints such as ajax/api/ad/replaceAdTemplate. This access-control failure can expose privileged internal functionality to unauthenticated users and, in documented exploit chains, can be paired with template-related functionality to progress toward remote code execution. The vulnerability was reported as exploited in the wild in May 2025.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a proof-of-concept exploit for CVE-2025-48827, a critical authentication bypass vulnerability in vBulletin versions 5.0.0–5.7.5 and 6.0.0–6.0.3 running on PHP 8.1 or later. The exploit is implemented in Python (main.py) and is designed to be run from the command line, taking a file of target URLs as input. It checks each target for vBulletin indicators, then attempts to access the protected API endpoint '/ajax/api/ad/wrapAdTemplate' without authentication. If the endpoint is accessible and responds as expected, the target is considered vulnerable. The exploit demonstrates the ability to invoke protected API methods remotely, which could lead to remote code execution and full system compromise. The repository includes a README with detailed usage instructions, remediation advice, and dependency information. No hardcoded IPs or domains are present; the exploit is generic and targets user-supplied URLs.
This repository contains a Python exploit script (CVE-2025-48827.py) and a README.md. The exploit targets vBulletin installations (versions 5.0.0 - 5.7.5 and 6.0.0 - 6.0.3) running on PHP 8.1, exploiting a remote code execution (RCE) vulnerability (CVE-2025-48827). The script can scan single or multiple targets (from a file), detect vBulletin installations, check for the vulnerability, and if successful, upload a PHP webshell (shell.php) to the target. The webshell allows arbitrary command execution via HTTP GET requests. The exploit is multithreaded for efficiency and provides progress feedback. The main attack vector is network-based, targeting specific vBulletin AJAX endpoints. The repository is operational and provides a working exploit with a functional payload.
This repository contains an operational exploit for a remote code execution (RCE) vulnerability in vBulletin versions 5.0.0 through 6.0.3, specifically targeting the 'ajax/api/ad/replaceAdTemplate' endpoint. The exploit consists of a Python script (vbulletin.py) and a Nuclei YAML template (vbulletin-replacead-rce.yaml). The Python script automates the exploitation process: it injects a malicious template via a POST request to the vulnerable endpoint, then uses another endpoint ('ajax/render/ad_rce') to trigger the payload and drop a PHP web shell ('shell.php') on the target server. The script provides an interactive shell for the attacker, allowing arbitrary command execution as the web server user. The YAML file is a detection template for the same vulnerability, suitable for use with the Nuclei scanner. The exploit does not require authentication and is effective against unpatched vBulletin installations within the affected version range. The repository is well-structured, with clear separation between the exploit code and detection template.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A 2025 vulnerability named in the report as part of the set of CVEs adopted by RondoDox operators.
A critical vulnerability in vBulletin (CVE-2025-48827) allowing unauthenticated users to invoke protected API controller methods and execute arbitrary PHP code, leading to full compromise of affected systems.
A critical vBulletin API method invocation issue that can be used as part of a chain leading to unauthenticated remote code execution, enabled by PHP 8.1 Reflection API behavior changes and abuse of the 'replaceAdTemplate' API endpoint/template handling.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.