Hackers are exploiting critical flaw in vBulletin forum software

Two critical vulnerabilities affecting the open-source forum software vBulletin have been discovered, with one confirmed to be actively exploited in the wild. The flaws, tracked under CVE-2025-48827 and CVE-2025-48828, and rated critical (CVSS v3 score: 10.0 and 9.0 respectively), are an API method invocation and a remote code execution (RCE) via template engine abuse flaws. They impact vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the platform runs on PHP 8.1 or later. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch, and version 5.7.5 Patch Level 3, but many sites remained exposed due to not upgrading. Public PoC and active exploitation The two issues were discovered on May 23, 2025, by security researcher Egidio Romano (EgiX), who explained how to exploit it via a detailed technical post on his blog. The researcher showed that the flaw lies in vBulletin's misuse of PHP's ... Read full article.