Two critical security vulnerabilities has been discovered in the popular open-source forum software vBulletin, with one of the flaws confirmed to be actively exploited in the wild.
The vulnerabilities, tracked as CVE-2025-48827 and CVE-2025-48828, affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or newer. The flaws stem from improper use of PHP’s Reflection API and weaknesses in vBulletin’s template engine.
The issue allows unauthorized users to invoke protected methods, bypassing traditional security mechanisms and leading to full remote code execution (RCE) on vulnerable systems.
According to security researcher Ryan Dewhurst, CVE-2025-48827 is already being exploited. Monitoring honeypots, Dewhurst observed attack attempts targeting the vulnerable ajax/api/ad/replaceAdTemplate endpoint, with some traced to threat actors in Poland. The attacks appear to use the public exploit and aim to drop PHP-based backdoors for command execution.
Although only CVE-2025-48827 has been observed in real-world attacks so far, security experts warn that chaining the vulnerabilities to achieve full RCE is not only possible but likely. Notably, Nuclei detection templates for the flaws have been available since May 24.
vBulletin, a widely used PHP/MySQL-based platform powering thousands of forums worldwide, had quietly addressed the flaws in Patch Level 1 for the 6.x release and 5.7.5 Patch Level 3, likely issued last year.
Administrators are strongly urged to upgrade to version 6.1.1 or immediately apply the latest security patches to protect against potential compromise.
