kev

vBulletin replaceAdTemplate Exploited in the Wild

Ryan Dewhurst

2 min read
vBulletin replaceAdTemplate Exploited in the Wild

Update 27-05-2025: Two CVEs were assigned to the researcher for these vulnerabilities, CVE-2025-48827 and CVE-2025-48828.

vBulletin is an Open Source PHP/MySQL forum software package that has been around since the year 2000. If you're over the age of 30 you've probably heard of it.

On May 23, 2025 Karma(In)Security disclosed an Unauthenticated Remote Code Execution (RCE) vulnerability affecting vBulletin 5.0.0 through 6.0.3, including a PoC. According to the researcher, this vulnerability was likely patched over a year ago. (BTW no CVE assigned at the time of writing, will update this post if/when one is assigned. Or maybe we can ask the new EUVD for a number?)

These are the likely patched versions:

  • vBulletin 6.0.3 Patch Level 1
  • vBulletin 6.0.2 Patch Level 1
  • vBulletin 6.0.1 Patch Level 1
  • vBulletin 5.7.5 Patch Level 3

The latest version of vBulletin is version 6.1.1, which is unaffected.

So if you haven't updated your version of vBulletin in a year or so, then you're pretty f****d. Go update now.

While browsing through our Honeypot data this morning for hours looking to see if any of our signatures had been triggered, I remembered seeing mention of the vBulletin vulnerability on Twitter over the weekend and decided to investigate.

Lo and behold, some IP based in Poland (195.3.221.137) was actively exploiting it!

This is hardly surprising seeing as there's a Nuclei template for it since May 24th, 2025. But I've not seen anyone else reporting in the wild exploitation as of writing, so thought it would be valuable to some.

We have 4 logs for the vulnerable file "ajax/api/ad/replaceAdTemplate":

  • May 26, 2025 @ 08:23:28.193 UTC
  • May 26, 2025 @ 08:23:28.242 UTC
  • May 26, 2025 @ 08:24:33.429 UTC
  • May 26, 2025 @ 08:24:33.429 UTC

The HTTP POST payload used in these request was the following. Unfortunately we don't have any followup requests with the attacker using the "cmd backdoor", although it looks like they used the original researcher's PoC, rather than the Nuclei template:

<vb:if condition='"passthru"($_POST["cmd"])'></vb:if>

The User Agent header used was:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36

The SANS Internet Storm Center dshield logs also show probes for the vulnerable "ajax/api/ad/replaceAdTemplate" vBulletin endpoint, starting on May 25th, 2025:

I believe this is the first "in the wild" confirmation of this vulnerability, making it a Known Exploited Vulnerability (KEV). Once a CVE is assigned, we'll add it to KEVIntel. In the meantime, go check if you have any older vBulletin forums that need patching!

Timeline

Apr 1st, 2024 - vBulletin Patch Released
May 23rd, 2025 - Public research and PoC released by Karma(In)Security
May 24th, 2025 - Nuclei Template Released
May 25th, 2025 - Probes in SANS logs
May 26th, 2025 - Exploit attempts in KEVIntel logs
May 27th, 2025 - CVEs Assigned
May 27th, 2025 - Listed on KEVIntel.com