vBulletin Flaws Let Hackers Seize Forums via API, RCE

Two critical vulnerabilities in the vBulletin forum software are under active exploitation, security researchers warned. Tracked as CVE-2025-48827 and CVE-2025-48828, the flaws affect vBulletin versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3 when running on PHP 8.1 or newer.

CVE-2025-48827, rated with a maximum CVSS score of 10, allows unauthenticated users to invoke protected API methods. CVE-2025-48828, with a CVSS score of 9, enables attackers to execute arbitrary PHP code through template conditionals. Both issues were discovered on May 23 and have been exploited in the wild since at least May 26.

Attackers are leveraging the flaws via the vulnerable “replaceAdTemplate” API endpoint, according to honeypot data. A proof-of-concept exploit has been publicly released, raising concerns about broader adoption by threat actors. Researchers advised developers to audit dynamic method routing in their codebases, particularly in platforms using Reflection with insufficient access controls.