Critical vBulletin Pre-Authentication remote code execution flaws actively exploited
Take action: If you're running vBulletin versions 5.0.0-5.7.5 or 6.0.0-6.0.3 on PHP 8.1+, immediately upgrade to vBulletin 6.1.1 or apply the latest security patches. Your software is vulnerable and the flaws are being actively exploited. If you cannot upgrade immediately, consider temporarily taking your forum offline or restricting access until patches can be applied.
Learn More
vBulletin has been found vulnerable to two critical security flaws that enable unauthenticated remote code execution attacks. Active exploitation of the flaws is confirmed in the wild.
vBulletin is an Internet forum software package that creates and manages online discussion forums. It's popular for building and hosting online communities, allowing users to engage in structured and searchable discussions and is one of the most widely deployed commercial forum software packages.
Vulnerability summary
- CVE-2025-48827 (CVSS score 10) - vBulletin unauthenticated users to invoke protected API controllers' methods. It stems from vBulletin's misuse of PHP's Reflection API within its API controller logic. Due to behavioral changes introduced in PHP 8.1, protected and private methods can now be invoked via ReflectionMethod::invoke() without explicit accessibility adjustments. This allows attackers to bypass authentication mechanisms and directly access API endpoints that were never intended to be publicly accessible. The vulnerability can be exploited through crafted requests to endpoints following the pattern
/ajax/api/[controller]/[method], where attackers can invoke protected methods likereplaceAdTemplate()that should only be accessible internally. - CVE-2025-48828 (CVSS score 9) - Certain vBulletin versions allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. This flaw is chained to CVE-2025-48827 to achieve full remote code execution by abusing vBulletin's template engine. Attackers can inject malicious PHP code through Template Conditionals using alternative function invocation syntax. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code.
Both flaws were discovered by security researcher Egidio Romano and publicly reported on May 23, 2025.
The vulnerabilities affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when running on PHP 8.1 or later versions.
Active exploitation of these vulnerabilities has been confirmed since May 26, 2025. Security researcher Ryan Dewhurst reported observing exploitation attempts in honeypot logs, showing requests to the vulnerable ajax/api/ad/replaceAdTemplate endpoint. The attacks appear to be using the publicly available proof-of-concept exploit code to deploy PHP backdoors for persistent system access.
The vulnerabilities were likely addressed quietly by vBulletin with patches released earlier, specifically Patch Level 1 for all versions of the 6.x release branch and version 5.7.5 Patch Level 3. However, many sites remain exposed due to delayed patching or administrators being unaware of the silent security updates. vBulletin version 6.1.1 and later releases are not affected by these vulnerabilities.
