EXPERTS found two vulnerabilities in the vBulletin forum software, tracked as CVE-2025-48827 and CVE-2025-48828, one of which is already being exploited in real-world attacks. An unauthenticated user could exploit CVE-2025-48827 (CVSS 10) to invoke protected API controllers’ methods when running on PHP 8.1 or later, via the /api[.]php?method=protectedMethod pattern. The second flaw, CVE-2025-48828 (CVSS 9), can be abused to run arbitrary PHP code by exploiting template conditionals.
Both flaws were seen exploited in the wild in May 2025 and affect vBulletin versions from 5.0.0 to 5.7.5 and from 6.0.0 to 6.0.3 when PHP 8.1 or newer is in use. Security researcher Egidio Romano discovered the vulnerabilities on 23 May 2025 and published a PoC exploit; by 26 May, exploit attempts were recorded in the wild, with honeypot data noting active exploitation from an IP based in Poland.