Vulnerability Description
Two vulnerabilities, CVE-2025-48827 and CVE-2025-48828, can be chained together to achieve unauthenticated remote code execution on affected vBulletin instances running PHP 8.1 or later.
CVE-2025-48827 impacts versions 5.0.0-5.7.5 and 6.0.0-6.0.3. The NVD advisory for CVE-2025-48828 states that only certain versions of vBulletin are affected. Karma(in)Security discovered that PHP 8.1 and later versions don’t enforce restricted access to protected methods and confirmed successful exploitation on vBulletin versions 5.1.0, 5.7.5, 6.0.1, and 6.0.3.
- CVE-2025-48827 lets unauthenticated users invoke protected controller methods through vBulletin’s dynamic API routing. This is due to changes introduced in PHP 8.1’s handling of ReflectionMethod::invoke(), which no longer blocks access to protected methods, as demonstrated here.
- CVE-2025-48828 targets the vBulletin template engine, allowing attackers to inject PHP code using crafted template conditionals. A weak function filtering mechanism can be bypassed using alternate syntax, such as passthru($_POST[“cmd”]), enabling code execution during template rendering.
Used together, an attacker can invoke the replaceAdTemplate() method via CVE-2025-48827 to write a malicious template to disk. This template is then rendered by the engine, executing code via CVE-2025-48828. Karma(in)Security has published a full technical writeup describing this exploit chain, as well as a working proof-of-concept (PoC).
Threat Activity
While neither CVE has been added to CISA’s Known Exploited Vulnerabilities Catalog, multiple sources have reported signs of exploitation:
- Both vulnerabilities were added to KEVIntel on May 27, 2025 after they reported signs of active exploitation appearing in their logs.
- The SANS Internet Storm Center reported probes targeting the vulnerable /ajax/api/ad/replaceAdTemplate endpoint.
- A GreyNoise Visualizer query shows several IPs attempting to exploit CVE-2025-48827, although no direct attempts using CVE-2025-48828 have been observed.
| Field | Details | |
|---|---|---|
| CVE-ID | CVE-2025-48827 – CVSS 10.0 (critical) – assigned by MITRE | CVE-2025-48828 – CVSS 9.0 (critical) – assigned by MITRE |
| Vulnerability Description | Unauthenticated users can invoke protected API controller methods via /api.php?method=protectedMethod on PHP 8.1+. | By crafting template code using alternative function call syntax (e.g., var_dump(“test”)), attackers can bypass filtering and execute arbitrary PHP code. |
| Date of Disclosure | May 23, 2025 | |
| Date Reported as Actively Exploited | Both vulnerabilities were added to KEVIntel on May 27, 2025 | |
| Affected Assets | /api.php?method=protectedMethod enables access to protected API methods on PHP 8.1+. | Template engine conditionals allow function call injection using alternate syntax. |
| Vulnerable Software Versions | vBulletin 5.0.0 – 5.7.5 and 6.0.0 – 6.0.3 when running PHP 8.1 or later. | Confirmed affected: 5.1.0, 5.7.5, 6.0.1, and 6.0.3 (per Karma(in)Security). |
| PoC Available? | Full PoC published by Karma(in)Security and a Nuclei template are available. | |
| Exploitation Status | Both vulnerabilities were added to KEVIntel and signs of active exploitation were reported across multiple sources. | |
| Patch Status | The following patches have been announced by vBulletin:6.0.3 Patch Level 16.0.2 Patch Level 16.0.1 Patch Level 15.7.5 Patch Level 3It’s unclear which patch fully resolves the issue. Karma(in)Security suggested that the fix should be applied starting from version 6.0.4 and onward, and unpatched instances of 5.7.5, 6.0.1, 6.0.2, and 6.0.3 remain vulnerable per KEVIntel. | |
Censys Perspective
At the time of writing, Censys identified 45,043 exposed vBulletin instances, 2,608 of which appear to be exposing a version vulnerable to CVE-2025-48827. Note that exploitation requires PHP 8.1+ to be running on these hosts.
This query can be used to display results running both a vulnerable version of PHP and a vulnerable version of vBulletin:
web.software.cpe =~ "vbulletin:vbulletin:(5.[0-6].d+|5.7.[0-5]|6.0.[0-3])" and web.software.cpe =~ "php:php:8.[1-9].[d]"The queries below can be used to identify exposed instances of vBulletin, but they are not necessarily vulnerable to the exploit. Please note that these fingerprints were recently modified and results may take up to 24 hours to fully propagate.
web.software: (vendor: "vbulletin" and product: "vbulletin")services.software: (vendor="vBulletin" and product="vBulletin")host.services.software: (vendor="vBulletin" and product="vBulletin") or web_entity.instances.software: (vendor="vBulletin" and product="vBulletin")Please note that this risk was recently deployed and results may take up to 24 hours to fully propagate.
risks.name = "Vulnerable vBulletin [CVE-2025-48827]"
References
- CVE-2025-48827 NVD Advisory
- CVE-2025-48828 NVD Advisory
- PHP 8.1 Protected Method Flaw Example
- Don’t Call That “Protected” Method: Dissecting an N-Day vBulletin RCE
- Karma(in)Security Proof of Concept
- vBulletin replaceAdTemplate – Remote Code Execution Nuclei Template
- vBulletin replaceAdTemplate Exploited in the Wild
- SANS Internet Storm Center Probes
- GreyNoise Visualizer CVE-2025-48827 Query