- Security researchers find two faults in Vbulletin
- Both are critical in severity and can be chained by RCE
- One of the defects is actively exploited
Experts have affirmed a critical security vulnerability found in the popular vbulletin forum software in nature.
Cybersecurity researcher Ryan Dewhurst, who claims to have seen attempts for exploitation in nature, says that vulnerability can be used in theory to grant the attackers the execution capabilities of the remote code (RCE).
Dewhursst says that the error, tracked as CVE-2025-48827, is described as an API method invocation failure, with a gravity score of 10/10 (critical). It affects the versions of Vbulletin 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3, executing in PHP 8.1 and posterior.
Doxxing Stern
Dewhursst said he first saw attempts for exploitation in his Honeypot on May 26. The attacks originated in Poland, he added, emphasizing that the little ones were available for a few days at this time.
It is also worth mentioning that the error was first seen by the security researcher Egidio Romano (Egix), who also observed a vulnerability of “template conditional in the template engine”, tracked as CVE-2025-48828.
This has a gravity score of 9.0/10 (critical), and gives the execution capacities of the remote code (RCE) of the attackers. Supposedly, these two may be chained, but so far, researchers have not seen the chain in nature.
According BleepingcomputerThe error was probably silenced in silence, when a level 1 patch (for all versions of 6) and the patch 3 level (for version 5.7.5) were released. The publication states that many sites remain at risk, since not all administrators are diligent when it comes to patching.
Vbulletin, Bleepingcomputer Other tensions is one of the most widely used PHP/MySQL -based commercial forum platforms, which feeds thousands of online communities worldwide.
It owes its popularity, among other things, to its modular design, which makes it flexible and complex. He also does something more exposed to threats.
