Two important weaknesses affecting the open-source forces software vbulletin have been discovered, one of which has been confirmed to be actively exploited in the wild.
Trees under flaws Cve-2025-48827 And Cve-2025-48828And rated critical (CVSS V3 Score: 10.0 and 9.0 respectively), an API method calling and template engine abuse are a distance code execution (RCE) through misuse defects.
They affect the Vbulletin version 5.0.0 via 6.0.3 via 5.7.5 and 6.0.0 when the platform pHP 8.1 or later runs.
6.* The release branch, and version 5.7.5 patch Level 3, was quietly patched with the release of Patch Level 1 for all versions of 3 versions, but many sites were exposed to not upgraded.
Public POC and active exploitation
Two issues were discovered by a security researcher on May 23, 2025 Agidio romano (Egix), who explained how to exploit it through a detailed technical post on his blog.
The researcher showed that the reflection of the defect vbulletin is inherent in the misuse of APIs, which allows the protected methods to invite the protected methods to invite without clear access adjustment, due to the behavioral changes introduced in PHP 8.1.
The vulnerability chain lies in the ability to apply protected methods through the URL prepared and the template inside the template engine of Vbulletin is misused.
By using the “unsafe ‘replaceademplate” method using tricks using ticks using “unsafe function” filters using ticks using ticks.
This results in the perfectly remote, informal code execution on the underlying server-effectively provides shell access to the attackers as a web server user (eg www-data on Linux).
On 26 May, security researchers Ryan Dehrst reports Seeing the efforts of exploitation at the Honeypot log, the request is shown at the closing point ‘Ajax/API/AD/REPLACEADTEMPLATE’.
Source: Blog.kevintel.com
Dehrst detected one of one of the attackers for Poland, with efforts to deploy PHP backdoor to execute the system command.
The researcher stated that the attacks appear to take advantage of the first published exploitation by the Romano, although nucleus templates are available for defects from May 24, 2025.
It is important to clarify that Dehrst saw only exploitation efforts for CVE -2025–48827, but no evidence has yet existing that the attackers successfully chained it in full RCE, although it is highly likely.
vbulletin troubles
Vbulletin is one of the most widely used commercial PHP/MySQL-based platforms to provide electricity to thousands of online communities globally.
Its modular design, including mobile API and Ajax interfaces, makes it a complex and flexible platform. However, it also highlights the surface of a broad attack.
In the past, hackers have taken advantage of serious flaws in the platform to break the popular forums and steal a large number of users’ sensitive data.
Forum administrators are recommended to apply security updates for their vbulletin installation or go to the latest release, version 6.1.1, which is not affected by the said flaws.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
