- Security researchers find two flaws in vBulletin
- Both are critical in severity, and can be chained for RCE
- One of the flaws is being actively exploited
A critical security vulnerability found in the popular forum software vBulletin is being abused in the wild, experts have claimed.
Cybersecurity researcher Ryan Dewhurst, who claims to have seen exploitation attempts in the wild, says the vulnerability can in theory be used to grant the attackers remote code execution (RCE) capabilities.
Dewhurst says the bug, tracked as CVE-2025-48827, is described as an API method invocation flaw, with a severity score of 10/10 (critical). It affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3, running on PHP 8.1 and later.
Doxxing Stern
Dewhurst said that he first saw exploitation attempts in his honeypot on May 26. The attacks originated in Poland, he added, stressing that PoCs were available for a few days at this point.
It is also worth mentioning that the bug was first spotted by security researcher Egidio Romano (EgiX), who also observed a “Template Conditionals in the template engine” vulnerability, tracked as CVE-2025-48828.
This one has a severity score of 9.0/10 (critical), and grants the attackers remote code execution (RCE) capabilities. These two can allegedly be chained together, but so far, the researchers haven’t seen the chain in the wild.
According to BleepingComputer, the bug was probably patched quietly, when Patch Level 1 (for all versions of the 6) and Patch Level 3 (for version 5.7.5) were released. The publication claims that many sites remain at risk since not all admins are diligent when it comes to patching.
vBulletin, BleepingComputer further stresses, is one of the most widely used commercial PHP/MySQL-based forum platforms, powering thousands of online communities globally.
It owes its popularity, among other things, to its modular design, which makes it both flexible and complex. It also makes it somewhat more exposed to threats.
Leave a comment