Unauthenticated Remote Code Execution in vBulletin 6.0.1 via replaceAdTemplate Method
1 min read
Summary
A remote code execution (RCE) vulnerability has been discovered in vBulletin 6.0.1, a popular internet forum platform.
The flaw relates to an unintentionally exposed protected method called replaceAdTemplate, which should not be directly callable by unauthorised users.
However, due to a configuration error, this method can be abused to execute attacker-supplied PHP code on the server.
This can be achieved by sending a malicious POST request to the /ajax/api/ad/replaceAdTemplate endpoint, allowing the attacker to inject executable PHP payloads.
The vulnerability enables a range of actions, from web shell uploading and database exfiltration to potential full server compromise in severe cases.
Website administrators using vBulletin 5.1.0, 5.7.5, 6.0.1, and 6.0.3 running on PHP 8.1+ are urged to upgrade to the latest patched versions to address this critical security risk.