Pierluigi Paganini June 01, 2025

Experts found two vulnerabilities in the vBulletin forum software, one of which is already being exploited in real-world attacks.

Two critical vBulletin flaws, tracked as CVE-2025-48827 and CVE-2025-48828, enable API abuse and remote code execution. The experts warn that one of these flaws is actively exploited in the wild.

An unauthenticated user could exploit CVE-2025-48827 (CVSS score of 10) to invoke protected API controllers’ methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern.

The second flaw, tracked as CVE-2025-48828 (CVSS score of 9), can be exploited by attackers to run arbitrary PHP code by abusing template conditionals.

Both vulnerabilities were exploited in the wild in May 2025.

The vulnerabilities affect vBulletin versions from 5.0.0 to 5.7.5 and from 6.0.0 to 6.0.3, specifically when the platform is running on PHP 8.1 or newer.

Security researcher Egidio Romano discovered the two vBulletin vulnerabilities on May 23, 2025. These vulnerabilities allow attackers to exploit template conditionals and misuse protected methods, resulting in remote, unauthenticated code execution. The researcher also published a PoC exploit for these issues.

“For defenders and developers: now is a good time to review your frameworks and custom APIs. If you’re dynamically routing controller methods through Reflection, audit whether you’re enforcing access restrictions robustly. Look at how your application behaves across different PHP versions, and always assume that method visibility alone is not a security boundary.” reads the analysis published by Romano.

“For researchers: this vulnerability class might be ripe for further exploration. My quick survey of popular PHP platforms suggests that while vBulletin is the most egregious case, others may have similar patterns waiting to be exploited. Custom CMS platforms, internal admin panels, legacy enterprise code — all of these are candidates.”

By May 26, exploit attempts were seen in the wild targeting the vulnerable replaceAdTemplate API endpoint, giving attackers potential server access.

On May 26, researcher Ryan Dewhurst confirmed that the vulnerability was being actively exploited in the wild, as shown by attempts recorded on his honeypot.

“While browsing through our Honeypot data this morning for hours looking to see if any of our signatures had been triggered, I remembered seeing mention of the vBulletin vulnerability on Twitter over the weekend and decided to investigate.” Dewhurst wrote. “Lo and behold, some IP based in Poland (195.3.221.137) was actively exploiting it!”

“This is hardly surprising seeing as there’s a Nuclei template for it since May 24th, 2025.” the researcher added.

Below is the timeline for this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, vBulletin)