CVE-2023-25135

Name: CVE-2023-25135
Creator: NVD / NIST
Published: 2023-02-03T05:15:10.737+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 23.93%

Last modified Jun 17, 2026

CVE-2023-25135 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. EPSS estimates a 23.93% chance of exploitation in the next 30 days.

Description

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

23.93%

97.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Vbulletin	Vbulletin	5.6.7
Vbulletin	Vbulletin	5.6.8
Vbulletin	Vbulletin	5.6.9

References

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patchRelease Notes, Vendor Advisory
https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachableExploit, Technical Description, Third Party Advisory
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patchRelease Notes, Vendor Advisory
https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachableExploit, Technical Description, Third Party Advisory

Timeline

Published: Feb 3, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-25135?

How severe is CVE-2023-25135?

CVE-2023-25135 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 23.93% probability of exploitation in the next 30 days.

How do I fix CVE-2023-25135?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-25135?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST