Two remote code execution vulnerabilities in vBulletin
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-48827 CVE-2025-48828 |
| CWE-ID | CWE-424 CWE-94 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
vBulletin Web applications / Forum & blogging software |
| Vendor | vBulletin |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper protection of alternate path
EUVDB-ID: #VU109837
Risk: Critical
CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2025-48827
CWE-ID:
CWE-424 - Improper Protection of Alternate Path
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization checks within protected API controllers methods. A remote non-authenticated attacker can send a specially crafted request to the website and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability requires PHP 8.1 to be used by the web application.
Install updates from vendor's website.
Vulnerable software versionsvBulletin: 5.7.5 - 6.0.3
CPE2.3- cpe:2.3:a:vbulletin:vbulletin:5.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:vbulletin:vbulletin:5.7.5:Patch Level 2:*:*:*:*:*:*
- cpe:2.3:a:vbulletin:vbulletin:6.0.0:*:*:*:*:*:*:*
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4491049-security-patch-released-for-vbulletin-6-x-and-5-7-5
https://github.com/advisories/GHSA-23fp-mrfv-cwv4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Code Injection
EUVDB-ID: #VU110022
Risk: Critical
CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2025-48828
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsvBulletin: 5.7.5 - 6.0.3 Patch Level 1
CPE2.3- cpe:2.3:a:vbulletin:vbulletin:5.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:vbulletin:vbulletin:5.7.5:Patch Level 2:*:*:*:*:*:*
- cpe:2.3:a:vbulletin:vbulletin:5.7.5:Patch Level 3:*:*:*:*:*:*
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
https://kevintel.com/CVE-2025-48828
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
