#VU109837 Improper protection of alternate path in vBulletin - CVE-2025-48827
Published: May 27, 2025 / Updated: June 29, 2025
Vulnerability identifier: #VU109837
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-48827
CWE-ID: CWE-424
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
vBulletin
vBulletin
Software vendor:
vBulletin
vBulletin
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization checks within protected API controllers methods. A remote non-authenticated attacker can send a specially crafted request to the website and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability requires PHP 8.1 to be used by the web application.
Remediation
Install updates from vendor's website.