vBulletin Vulnerability Exploited in the Wild

A critical vulnerability affecting the vBulletin forum software is being exploited in the wild, with attacks starting shortly after disclosure.

Researcher Egidio Romano published a blog post on May 23 to describe a vBulletin vulnerability that can be exploited for unauthenticated remote code execution. Romano made public technical details, as well as proof-of-concept (PoC) code.

The researcher confirmed that exploitation is possible against forums powered by vBulletin versions 5.1.0, 5.7.5, 6.0.1 and 6.0.3, noting that the vulnerability was apparently patched back in April 2024, without any CVE identifier being assigned. 

A few days after Romano’s blog post was published, KEVIntel reported seeing exploitation attempts against its honeypots starting on May 26. The attack attempts, which involved requests designed to execute the ‘cmd’ command, were based on Romano’s PoC exploit.

Honeypots maintained by SANS have also seen dozens of exploitation attempts since May 25. 

It’s unclear what exactly the attackers have done after exploiting the vulnerability.

The CVE identifiers CVE-2025-48827 and CVE-2025-48828 have now been assigned to the security hole, one CVE for a protected method invocation issue and one for remote code execution through the template engine.  

In-the-wild exploitation of vBulletin vulnerabilities does not appear to be common these days. There has been no news of attacks targeting flaws in vBulletin since 2020. A related vBulletin vulnerability was exploited prior to that in 2019. 

Those are the only two vBulletin vulnerabilities currently included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-48827 and CVE-2025-48828 have yet to be added.

Related: Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks

Related: Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances

Related: Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers