Scan free
CRITICALCVE-2025-48827CVSS 10

CVE-2025-48827: RCE in vBulletin Forums

Platform

php

Component

vbulletin

Fixed in

6.0.4

View on NVD
Save

CVE-2025-48827 is a critical Remote Code Execution (RCE) vulnerability discovered in vBulletin forums versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers to execute arbitrary code on systems running these versions when using PHP 8.1 or later. A fix is available in version 6.0.4, and exploitation has been observed in the wild.

Impact and Attack Scenarios

This vulnerability poses a severe risk to vBulletin installations. An attacker can leverage the /api.php?method=protectedMethod pattern to bypass authentication and directly execute commands on the server. Successful exploitation could lead to complete system compromise, including data exfiltration, malware deployment, and denial of service. The unauthenticated nature of the exploit significantly broadens the attack surface, making it accessible to a wide range of threat actors. Given the popularity of vBulletin, a successful attack could impact numerous organizations and communities.

Exploitation Context

This vulnerability is actively being exploited in the wild, as confirmed in May 2025. While specific threat actor attribution is not publicly available, the active exploitation underscores the urgency of patching. The vulnerability's ease of exploitation and the widespread use of vBulletin make it a high-priority target. The vulnerability was published on 2025-05-27. No KEV or EPSS score is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

69.39% (99% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentvbulletin
VendorvBulletin
Minimum version5.0.0
Maximum version6.0.3
Fixed in6.0.4

Weakness Classification (CWE)

CWE-424

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade vBulletin to version 6.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting access to the /api.php endpoint via a Web Application Firewall (WAF) or proxy server, specifically blocking requests with the method=protectedMethod parameter. Review and harden PHP configuration, ensuring proper access controls and disabling unnecessary features. Monitor vBulletin logs for suspicious activity, particularly requests to the /api.php endpoint.

How to fix

Actualice vBulletin a una versión posterior a 6.0.3. Si no es posible actualizar inmediatamente, considere deshabilitar temporalmente las funcionalidades API o implementar reglas de firewall para restringir el acceso a los endpoints API vulnerables hasta que se pueda realizar la actualización. Consulte el sitio web de vBulletin para obtener las últimas actualizaciones y parches de seguridad.

Frequently asked questions

What is CVE-2025-48827 — RCE in vBulletin Forums?

CVE-2025-48827 is a critical Remote Code Execution vulnerability affecting vBulletin forums versions 5.0.0–6.0.3 running PHP 8.1+. It allows unauthenticated users to execute code on the server via the /api.php endpoint.

Am I affected by CVE-2025-48827 in vBulletin Forums?

You are affected if you are running vBulletin versions 5.0.0 through 5.7.5 or 6.0.0 through 6.0.3 and are using PHP 8.1 or later. Check your version immediately.

How do I fix CVE-2025-48827 in vBulletin Forums?

Upgrade vBulletin to version 6.0.4 or later. As a temporary workaround, restrict access to the /api.php endpoint using a WAF or proxy server.

Is CVE-2025-48827 being actively exploited?

Yes, CVE-2025-48827 is actively being exploited in the wild, making immediate patching essential.

Where can I find the official vBulletin advisory for CVE-2025-48827?

Refer to the official vBulletin security advisory for CVE-2025-48827 on the vBulletin website (check their security announcements section).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...