Two vital vulnerabilities affecting the open-source discussion board software program vBulletin have been found, with one confirmed to be actively exploited within the wild.
The issues, tracked beneath CVE-2025-48827 and CVE-2025-48828, and rated vital (CVSS v3 rating: 10.0 and 9.0 respectively), are an API technique invocation and a distant code execution (RCE) through template engine abuse flaws.
They impression vBulletin variations 5.0.0 by way of 5.7.5 and 6.0.0 by way of 6.0.3 when the platform runs on PHP 8.1 or later.
The vulnerabilities have been probably patched quietly final 12 months with the discharge of Patch Stage 1 for all variations of the 6.* launch department, and model 5.7.5 Patch Stage 3, however many websites remained uncovered attributable to not upgrading.
Public PoC and lively exploitation
The 2 points have been found on Might 23, 2025, by security researcher Egidio Romano (EgiX), who defined learn how to exploit it through an in depth technical put up on his weblog.
The researcher confirmed that the flaw lies in vBulletin’s misuse of PHP’s Reflection API, which, attributable to behavioral modifications launched in PHP 8.1, permits protected strategies to be invoked with out specific accessibility changes.
The vulnerability chain lies within the capability to invoke protected strategies through crafted URLs and the misuse of template conditionals inside vBulletin’s template engine.
By injecting crafted template code utilizing the weak ‘replaceAdTemplate’ technique, attackers bypass “unsafe operate” filters utilizing tips like PHP variable operate calls.
This ends in absolutely distant, unauthenticated code execution on the underlying server — successfully granting attackers shell entry as the net server consumer (www-data on Linux, for instance).
On Might 26, security researcher Ryan Dewhurst reported seeing exploitation makes an attempt on honeypot logs displaying requests to the weak ‘ajax/api/advert/replaceAdTemplate’ endpoint.
Supply: weblog.kevintel.com
Dewhurst traced one of many attackers to Poland, seeing makes an attempt to deploy PHP backdoors to execute system instructions.
The researcher famous that the assaults seem like leveraging the exploit revealed earlier by Romano, although there have been Nuclei templates out there for the flaw since Might 24, 2025.
It is very important make clear that Dewhurst solely noticed exploitation makes an attempt for CVE-2025-48827, however no proof exists but that attackers have efficiently chained it to the complete RCE, though that is extremely probably.
vBulletin troubles
vBulletin is among the most generally used business PHP/MySQL-based discussion board platforms, powering 1000’s of on-line communities globally.
Its modular design, together with cell APIs and AJAX interfaces, makes it a fancy and versatile platform. Nevertheless, it additionally exposes a broad assault floor.
Prior to now, hackers have leveraged extreme flaws within the platform to breach standard boards and steal the delicate information of enormous numbers of customers.
Discussion board directors are advisable to use the security updates for his or her vBulletin set up or transfer to the newest launch, model 6.1.1, which isn’t affected by the mentioned flaws.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and learn how to defend towards them.
