Two severe security flaws in vBulletin, identified as CVE-2025-48827 and CVE-2025-48828, are being actively exploited, with one enabling remote code execution.
These bugs affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when running on PHP 8.1 or newer, and stem from improper use of PHP’s Reflection API and the template engine.
Although patches were released quietly last year, many forum sites remain vulnerable due to outdated software. Researcher Egidio Romano demonstrated how attackers can use crafted URLs and template code to bypass protections and gain control of the server.
Exploitation attempts have already been observed in the wild, with one traced to an attacker in Poland attempting to deploy PHP-based backdoors.
While full RCE has not yet been confirmed in observed attacks, the potential is high given the published proof-of-concept. Administrators are urged to upgrade immediately to version 6.1.1 to protect their forums.
Read more...