Improper protection of alternate path in vBulletin - CVE-2025-48827
Published: May 27, 2025 / Updated: June 29, 2025
Vulnerability identifier: #VU109837
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-48827
CWE-ID: CWE-424
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: vBulletin
Affected software:
vBulletin
vBulletin
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization checks within protected API controllers methods. A remote non-authenticated attacker can send a specially crafted request to the website and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability requires PHP 8.1 to be used by the web application.
How to mitigate CVE-2025-48827
Install updates from vendor's website.