- Security researchers find two deficiencies in VBULLLETIN
- Both are critical in the severity and can be chained to RCE
- One of the deficiencies is actively exploited
A critical safety vulnerability found in the popular forum software vbulletin, is abused in nature, experts have claimed.
CyberSecurity -Scientist Ryan Dewhurst, who claims to have seen exploitation attempts in nature, says the vulnerability in theory can be used to give attackers Remote Code Execution (RCE) capabilities.
Dewhurst says that the error traced as CVE-2025-48827 is described as an API method’s madness error with a severity of 10/10 (critical). It affects VBULLLETIN versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3, running on PHP 8.1 and later.
Doxxing Stern
Dewhurst said he first saw exploitation attempts in his Honeypot on May 26. The attacks came from Poland, he added, emphasizing that POCs were available for a few days at this time.
It is also worth mentioning that the error was first discovered by security researcher Egidio Romano (EGIX), who also observed a “template condition in the template engine” vulnerability traced as CVE-2025-48828.
This one has a severity of 9.0/10 (critical) and gives the attackers Remote Code Execution (RCE) capabilities. These two can allegedly be tied together, but so far the researchers have not seen the chain in nature.
According to Bleeping computerThe error was probably patched quietly as patch level 1 (for all versions of 6) and patch level 3 (for version 5.7.5) were released. The publication claims that many sites remain in danger as not all administrators are diligent when it comes to patching.
vbulletin, Bleeping computer Additional tensions are one of the most commonly used commercial PHP/MySQL-based forum platforms that operate thousands of online communities globally.
Among other things, it owes its popularity to its modular design, making it both flexible and complex. It also makes it something more exposed to threats.
