A dangerous security flaw making the rounds on the Internet aims at the commonly deployed vBulletin forum software. The two critical vulnerabilities, recorded as CVE-2025-48827 and CVE-2025-48828, can be exploited by attackers to takeover vulnerable web servers.
On the other side of the spectrum, the first vulnerability, CVE-2025-48827, rated with the critical CVSS score of 10, enables unauthenticated users to execute protected API controller methods if the forum is powered by PHP version 8.1 or later. This vulnerability can be leveraged with a certain URL pattern to allow unauthorized actions and data leakage.
The second bug, CVE-2025-48828, high severity (score 9) allows local attackers to execute arbitrary PHP code by abusing template conditionals. This would enable them to upload harmful scripts, take sensitive data or even graffiti the forum.
At least one of these vulnerabilities (CVE-2025-48827) have been confirmed by security researchers to be under exploitation in the wild. Evidence of exploit attempts for /api. php? method=protectedMethod endpoint, and the replaceAdTemplate API endpoint have been identified. This demonstrates that hackers are scanning for and actually exploiting vulnerable vBulletin forums.
The flaws impact vBulletin versions between 5.0.0 and 5.7.5, as well as versions between 6.0.0 and 6.0.3. The researcher who found the flaws, Egidio Romano, added that other PHP platforms may have the same vulnerabilities and developers should check their frameworks and custom APIs, particularly when dealing with dynamic routing of controller methods.
Forum admins that use said version of vBulletin are advised to install the security updates as soon as possible. Possible short-term actions to mitigate the issue will be to disable php in blocks and rendering in the vBulletin admin control panel; however, this may have a negative impact on certain forum features.
The continued abuse of these serious vulnerabilities are a reminder that web applications should be updated with the latest security patches for the underlying software. Hesitating to act can result in some serious security breaches and potential detriment of functioning online communities.
