Security researchers have uncovered two critical vulnerabilities affecting vBulletin, a widely-used forum software. One of the vulnerabilities is already being actively exploited, posing a meaningful risk to online communities.

The vulnerabilities, identified as CVE-2025-48827 and CVE-2025-48828, carry critical severity ratings (CVSS v3 scores of 10.0 and 9.0, respectively). They involve an API method invocation flaw and a remote code execution (RCE) vulnerability stemming from template engine abuse.

These flaws impact vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when running on PHP 8.1 or later.

While patches were likely released quietly last year in Patch Level 1 for the 6.* branch and version 5.7.5 Patch Level 3, many sites remain vulnerable due to delayed upgrades.

Proof-of-Concept and Active Exploitation

On May 23, 2025, security researcher Roman egidio (EgiX) disclosed the two vulnerabilities,providing a detailed technical description of how to exploit them.

EgiX demonstrated that the vulnerability stems from vBulletin’s improper use of PHP’s Reflection API. A change introduced in PHP 8.1 allows protected methods to be invoked without explicit accessibility adjustments.

The exploit chain involves invoking protected methods through specially crafted URLs and exploiting template conditionals within vBulletin’s template engine.

By injecting malicious template code using the vulnerable ‘replaceAdTemplate’ method, attackers can bypass “unsafe function” filters using techniques like PHP variable function calls.

This leads to unauthenticated remote code execution on the server, granting attackers shell access as the web server user (e.g., www-data on Linux).

On May 26, security researcher Ryan dewhurst reported observing exploitation attempts in honeypot logs, targeting the vulnerable ‘ajax/api/ad/replaceAdTemplate’ endpoint.

Dewhurst traced one attacker to Poland, noting attempts to deploy PHP backdoors for executing system commands.

Dewhurst believes the attacks leverage the exploit published by Romano,although Nuclei templates for the vulnerability have been available since May 24,2025.

While Dewhurst only observed exploitation attempts for CVE-2025-48827, it is indeed highly likely that attackers will successfully chain it to achieve full RCE.

Past vBulletin Security Issues

vBulletin is a popular commercial forum platform based on PHP and MySQL, powering numerous online communities worldwide.

Its modular design, which includes mobile APIs and AJAX interfaces, provides adaptability but also increases its attack surface.

In the past, attackers have exploited critical vulnerabilities in vBulletin to compromise forums and steal sensitive user data.

“This results in fully remote, unauthenticated code execution on the underlying server – effectively granting attackers shell access.”

Mitigation

Administrators are urged to apply the latest security updates for their vBulletin installations or upgrade to version 6.1.1,which is not affected by these vulnerabilities.