Two important vulnerabilities affecting the open-source discussion board software program vBulletin have been found, with one confirmed to be actively exploited within the wild.
The failings, tracked underneath CVE-2025-48827 and CVE-2025-48828, and rated important (CVSS v3 rating: 10.0 and 9.0 respectively), are an API technique invocation and a distant code execution (RCE) by way of template engine abuse flaws.
They influence vBulletin variations 5.0.0 by means of 5.7.5 and 6.0.0 by means of 6.0.3 when the platform runs on PHP 8.1 or later.
The vulnerabilities had been probably patched quietly final 12 months with the discharge of Patch Stage 1 for all variations of the 6.* launch department, and model 5.7.5 Patch Stage 3, however many websites remained uncovered as a consequence of not upgrading.
Public PoC and energetic exploitation
The 2 points had been found on Might 23, 2025, by safety researcher Egidio Romano (EgiX), who defined find out how to exploit it by way of an in depth technical put up on his weblog.
The researcher confirmed that the flaw lies in vBulletin’s misuse of PHP’s Reflection API, which, as a consequence of behavioral adjustments launched in PHP 8.1, permits protected strategies to be invoked with out express accessibility changes.
The vulnerability chain lies within the potential to invoke protected strategies by way of crafted URLs and the misuse of template conditionals inside vBulletin’s template engine.
By injecting crafted template code utilizing the susceptible ‘replaceAdTemplate’ technique, attackers bypass “unsafe operate” filters utilizing tips like PHP variable operate calls.
This ends in absolutely distant, unauthenticated code execution on the underlying server — successfully granting attackers shell entry as the online server consumer (www-data on Linux, for instance).
On Might 26, safety researcher Ryan Dewhurst reported seeing exploitation makes an attempt on honeypot logs displaying requests to the susceptible ‘ajax/api/advert/replaceAdTemplate’ endpoint.
Supply: weblog.kevintel.com
Dewhurst traced one of many attackers to Poland, seeing makes an attempt to deploy PHP backdoors to execute system instructions.
The researcher famous that the assaults look like leveraging the exploit printed earlier by Romano, although there have been Nuclei templates accessible for the flaw since Might 24, 2025.
It is very important make clear that Dewhurst solely noticed exploitation makes an attempt for CVE-2025-48827, however no proof exists but that attackers have efficiently chained it to the total RCE, though that is extremely probably.
vBulletin troubles
vBulletin is likely one of the most generally used industrial PHP/MySQL-based discussion board platforms, powering hundreds of on-line communities globally.
Its modular design, together with cellular APIs and AJAX interfaces, makes it a fancy and versatile platform. Nevertheless, it additionally exposes a broad assault floor.
Previously, hackers have leveraged extreme flaws within the platform to breach fashionable boards and steal the delicate knowledge of huge numbers of customers.
Discussion board directors are really useful to use the safety updates for his or her vBulletin set up or transfer to the newest launch, model 6.1.1, which isn’t affected by the mentioned flaws.
Guide patching is outdated. It is sluggish, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch sooner, reduce threat, keep compliant, and skip the complicated scripts.
