Detections
Analytics
vBulletin 5.0.x < 6.0.4 Remote Code Execution
critical Web App Scanning Plugin ID 114869
Language:
Synopsis
vBulletin 5.0.x < 6.0.4 Remote Code ExecutionDescription
vBulletin versions 5.0.x prior to 6.0.4 are vulnerable to an improper authentication allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. This vulnerability can lead to remote code execution (RCE).Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.
Solution
Upgrade to vBulletin version 6.0.4 or later.See Also
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
Plugin Details
Severity: Critical
ID: 114869
Type: remote
Family: Component Vulnerability
Published: 6/4/2025
Updated: 6/4/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2025-48827
CVSS v3
Risk Factor: Critical
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score Source: CVE-2025-48827
Vulnerability Information
CPE: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 5/22/2025
Vulnerability Publication Date: 5/8/2025
Reference Information
CVE: CVE-2025-48827, CVE-2025-48828
CWE: 424
OWASP: 2010-A3, 2013-A2, 2013-A9, 2017-A2, 2017-A9, 2021-A6, 2021-A7
WASC: Insufficient Authentication
CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1
PCI-DSS: 3.2-6.2, 3.2-6.5.10