vBulletin Remote Code Execution Vulnerabilities Exploited in the Wild (CVE-2025-48827 & CVE-2025-48828)

Posted by Author Diksha Ojha on Posted on

Security researchers at Karma(In)Security discovered two unauthenticated remote code execution vulnerabilities in vBulletin, a popular commercial forum solution. Tracked as CVE-2025-48828, successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code, leading to critical data loss and complete system compromise.

vBulletin is an Internet forum software package that creates and manages online discussion forums. It’s popular for building and hosting online communities, allowing users to engage in structured and searchable discussions. vBulletin is designed for medium to large sites and offers features like private messaging, reporting, and SEO management.

A quick search revealed more than 26,000 publicly available targets on Fofa at the time of writing.

The vulnerability

The flaw arises from the misuse of PHP’s Reflection API within vBulletin’s API controller logic, particularly in PHP 8.1, which allows the invocation of protected and private methods through ReflectionMethod::invoke().

The vulnerability exists in the AJAX API handler and template rendering system. Attackers can exploit the flaw by directly invoking internal protected methods not intended for external access. The vB_Api_Ad::replaceAdTemplate() method can act as an RCE vector. The method allows for creating or modifying advertisement templates. By injecting malicious code into these templates, attackers can achieve remote code execution.

The Qualys Threat Research Unit confirmed the vulnerability by successfully testing the proof of concept in the lab environment.

Image Source: Qualys Threat Research Unit (TRU)

Affected Versions

The vulnerabilities affect vBulletin versions 5.0.0 through 6.0.3.

Mitigation

As per the Karma(In)Security blog, the most likely patches for the vulnerability are as follows:

  • vBulletin 6.0.3 Patch Level 1
  • vBulletin 6.0.2 Patch Level 1
  • vBulletin 6.0.1 Patch Level 1
  • vBulletin 5.7.5 Patch Level 3

Qualys Detection

Qualys customers can scan their devices with QID 732555 to detect vulnerable assets.

Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Leave a Reply

Your email address will not be published. Required fields are marked *