CVE-2025-48828 (GCVE-0-2025-48828)
Vulnerability from cvelistv5
Published
2025-05-27 00:00
Modified
2025-05-27 18:04
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-424 - Improper Protection of Alternate Path
Summary
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
References
cve@mitre.orghttps://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rceExploit, Third Party Advisory
cve@mitre.orghttps://kevintel.com/CVE-2025-48828Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/Broken Link
Impacted products
Vendor Product Version
vBulletin vBulletin Version: 6.0.3   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48828",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-27T18:04:12.683454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-27T18:04:16.774Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "vBulletin",
          "vendor": "vBulletin",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "6.0.3",
                  "versionStartIncluding": "6.0.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the \"var_dump\"(\"test\") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-424",
              "description": "CWE-424 Improper Protection of Alternate Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-27T12:50:18.248Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce"
        },
        {
          "url": "https://kevintel.com/CVE-2025-48828"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48828",
    "datePublished": "2025-05-27T00:00:00.000Z",
    "dateReserved": "2025-05-27T00:00:00.000Z",
    "dateUpdated": "2025-05-27T18:04:16.774Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48828\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-05-27T04:15:45.033\",\"lastModified\":\"2025-06-25T16:32:38.947\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the \\\"var_dump\\\"(\\\"test\\\") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.\"},{\"lang\":\"es\",\"value\":\"Ciertas versiones de vBulletin podr\u00edan permitir a los atacantes ejecutar c\u00f3digo PHP arbitrario mediante el uso indebido de condicionales de plantilla en el motor de plantillas. Al crear c\u00f3digo de plantilla con una sintaxis alternativa de invocaci\u00f3n de funciones PHP, como la sintaxis \\\"var_dump\\\"(\\\"test\\\"), los atacantes pueden eludir las comprobaciones de seguridad y ejecutar c\u00f3digo PHP arbitrario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-424\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vbulletin:vbulletin:6.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B93016F8-817F-4694-ADE4-FACBD83D1C76\"}]}]}],\"references\":[{\"url\":\"https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://kevintel.com/CVE-2025-48828\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48828\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-27T18:04:12.683454Z\"}}}], \"references\": [{\"url\": \"https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-27T13:59:25.699Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"vBulletin\", \"product\": \"vBulletin\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce\"}, {\"url\": \"https://kevintel.com/CVE-2025-48828\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the \\\"var_dump\\\"(\\\"test\\\") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-424\", \"description\": \"CWE-424 Improper Protection of Alternate Path\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"6.0.3\", \"versionStartIncluding\": \"6.0.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-05-27T12:50:18.248Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48828\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-27T18:04:16.774Z\", \"dateReserved\": \"2025-05-27T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-05-27T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.