Published: 03/02/2023 Updated: 13/02/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

vBulletin prior to 5.6.9 PL1 allows an unauthenticated remote malicious user to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vbulletin vbulletin 5.6.8
vbulletin vbulletin 5.6.9
vbulletin vbulletin 5.6.7

Exploits targeting vBulletin.

vbulletin-exploits Exploits targeting vBulletin CVE-2023-25135: Pre-authentication RCE See: wwwambionicsio/blog/vbulletin-unserializable-but-unreachable /vbulletin-rce-cve-2023-25135py --help Usage: vbulletin-rce-cve-2023-25135py [-h] [-p PROXY] url command Exploit for CVE-2023-25135: vBulletin pre-authentication RCE See: wwwambionics

Exploit for CVE-2023-25135: vBulletin pre-authentication RCE Modified by TAWKHID NATAEV Description This script exploits the CVE-2023-25135 vulnerability in vBulletin, allowing pre-authentication Remote Code Execution (RCE) Usage Ensure you have Python 3 installed Install the required libraries using: pip install requests Run the script: python exploitpy Follow the pro

CWE-502 https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch https://nvd.nist.gov https://github.com/ambionics/vbulletin-exploits

CVE-2023-25135

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect