Active Exploits Detected Targeting Critical vBulletin Vulnerability

Two critical vulnerabilities—CVE-2025-48827 and CVE-2025-48828—have been assigned to vBulletin, the widely used PHP/MySQL forum software, following public disclosure and observed exploitation in the wild.

The flaws, affecting vBulletin versions 5.0.0 through 6.0.3, enable unauthenticated attackers to achieve Remote Code Execution (RCE), putting thousands of online communities at risk.

Reflection API Abuse and Template Engine Bypass

The vulnerabilities stem from a combination of architectural oversights and changes in PHP 8.1’s handling of method visibility.

vBulletin’s API controller logic misuses PHP’s Reflection API, specifically allowing the invocation of protected and even private methods via ReflectionMethod::invoke().

When running on PHP 8.1 or later, this flaw allows attackers to directly call internal methods that were never meant to be externally accessible.

The first vulnerability (CVE-2025-48827) involves the ability for unauthenticated users to invoke protected API controller methods, using crafted requests to endpoints such as /ajax/api/ad/replaceAdTemplate.

The second (CVE-2025-48828) leverages template engine weaknesses, where attackers inject malicious PHP code into templates using crafted conditionals.

This code can then be executed by triggering a render request, bypassing built-in security checks and filters.

Example Exploit Payload:

php

This payload, submitted via an HTTP POST request, enables attackers to execute arbitrary system commands on the server as the web server user (commonly www-data on Linux).

Exploitation Timeline and Detection

The vulnerabilities were first publicly disclosed on May 23, 2025, by researcher Egidio Romano (EgiX), with proof-of-concept (PoC) code released the same day.

Within days, security researchers observed active exploitation attempts, including attacks traced to an IP address in Poland targeting the vulnerable endpoint.

The attacks used the original PoC rather than automated scanning templates, indicating targeted exploitation.

The SANS Internet Storm Center and multiple honeypots reported probes and exploit attempts beginning May 25, 2025.

The flaws were officially assigned CVEs on May 27, 2025, and added to the Known Exploited Vulnerabilities (KEV) list.

Sample Attack Log Table

Impact, Affected Versions, and Mitigation

The vulnerabilities are rated critical, with CVSS v3.1 scores of 10.0 and 9.0, respectively. They impact vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3, specifically when running on PHP 8.1 or later.

Successful exploitation grants attackers full control over the server, potentially leading to data theft, defacement, or further compromise of connected systems.

Mitigation Steps:

• Upgrade immediately to vBulletin 6.0.4 or later, or apply Patch Level 1 for affected 6.x versions and Patch Level 3 for 5.7.5.
• Scan for vulnerable installations using tools such as Qualys QID 732555.
• Monitor logs for suspicious access to ajax/api/ad/replaceAdTemplate.

Summary Table: Affected and Patched Versions

The assignment of CVE-2025-48827 and CVE-2025-48828 marks these vBulletin flaws as critical, with active exploitation confirmed.

Administrators are urged to patch immediately and audit their systems, as attackers are leveraging these vulnerabilities to gain full control over vulnerable forum installations.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!