Exploitation of Critical Vulnerability in vBulletin Forum Software by Cyber Threat Actors

Recent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be actively exploited in the wild.

The identified flaws, designated as CVE-2025-48827 and CVE-2025-48828, have been rated critical, with a CVSS v3 score of 10.0 and 9.0 respectively. These security issues pertain to an API method invocation vulnerability and a remote code execution (RCE) exploit involving template engine misuse.

These vulnerabilities affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the software is running on PHP 8.1 or later.

It is noted that these security flaws were likely addressed with the quiet release of Patch Level 1 for all versions of the 6.* version branch, and version 5.7.5 Patch Level 3; however, many installations remained vulnerable due to a lack of updates.

Public Proof of Concept and Active Exploitation

Discovered on May 23, 2025, by security researcher Egidio Romano, the vulnerabilities were detailed in a thorough technical post on his blog, outlining how they can be exploited.

The root of the issue is attributed to vBulletin’s improper use of PHP’s Reflection API, which, due to behavioral adjustments in PHP 8.1, permits the invocation of protected methods without specific accessibility modifications.

The exploitation chain begins with the ability to call protected methods through specially crafted URLs and misuses of template conditionals within vBulletin’s template engine.

Attackers can inject malicious template code through the vulnerable ‘replaceAdTemplate’ method, allowing them to bypass “unsafe function” filters by employing techniques such as PHP variable function calls.

This exploitation enables remote, unauthenticated code execution on the server, effectively providing attackers with shell access using the web server’s user privileges (e.g., www-data on Linux).

On May 26, security researcher Ryan Dewhurst observed attempted exploitations in honeypot logs, with requests directed at the vulnerable ‘ajax/api/ad/replaceAdTemplate’ endpoint.

Dewhurst traced one of the attackers to Poland and reported attempts to deploy PHP backdoors for executing system commands.

Notably, these attacks appear to exploit the vulnerabilities previously detailed by Romano, with readily available Nuclei templates for the flaw since May 24, 2025.

While Dewhurst exclusively observed attempts to exploit CVE-2025-48827, there is currently no evidence confirming successful exploitation leading to full RCE, although the likelihood remains high.

Challenges with vBulletin

vBulletin is one of the most prominently used commercial PHP/MySQL-based forum platforms, supporting a multitude of online communities globally.

The platform’s modular architecture, complete with mobile APIs and AJAX interfaces, reinforces its complexity and adaptability. However, this intricacy contributes to a significantly expanded attack surface.

Historically, hackers have exploited notable vulnerabilities within this platform, leading to the breach of significant forums and the theft of sensitive user data from large user databases.

To mitigate risks, forum administrators are strongly advised to implement security updates for their vBulletin installations or transition to the latest version, 6.1.1, which does not encompass these vulnerabilities.