CVE-2025-48828

Sažetak

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Reference

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
https://kevintel.com/CVE-2025-48828
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

CVSS

Base:	9.0
Impact:	6.0
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Zadnje važnije ažuriranje

25-06-2025 - 16:32

Objavljeno

27-05-2025 - 04:15