Security flaw in vBulletin forum software exploited by hackers

Security researchers find two flaws in vBulletin
Both are critical in severity, and can be chained for RCE
One of the flaws is being actively exploited

A critical security vulnerability found in the popular forum software vBulletin is being abused in the wild, experts have claimed.

Cybersecurity researcher Ryan Dewhurst, who claims to have seen exploitation attempts in the wild, says the vulnerability can in theory be used to grant the attackers remote code execution (RCE) capabilities.

Dewhurst says the bug, tracked as CVE-2025-48827, is described as an API method invocation flaw, with a severity score of 10/10 (critical). It affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3, running on PHP 8.1 and later.

Doxxing Stern

Dewhurst said that he first saw exploitation attempts in his honeypot on May 26. The attacks originated in Poland, he added, stressing that PoCs were available for a few days at this point.

It is also worth mentioning that the bug was first spotted by security researcher Egidio Romano (EgiX), who also observed a “Template Conditionals in the template engine” vulnerability, tracked as CVE-2025-48828.

This one has a severity score of 9.0/10 (critical), and grants the attackers remote code execution (RCE) capabilities. These two can allegedly be chained together, but so far, the researchers haven’t seen the chain in the wild.

According to BleepingComputer, the bug was probably patched quietly, when Patch Level 1 (for all versions of the 6) and Patch Level 3 (for version 5.7.5) were released. The publication claims that many sites remain at risk since not all admins are diligent when it comes to patching.

vBulletin, BleepingComputer further stresses, is one of the most widely used commercial PHP/MySQL-based forum platforms, powering thousands of online communities globally.

It owes its popularity, among other things, to its modular design, which makes it both flexible and complex. It also makes it somewhat more exposed to threats.

https://cdn.mos.cms.futurecdn.net/hLthDCESVrWF6FGm2tAUuB.jpg

Source link

Premium features, budget price: Amazon’s Mid-Year sale just dropped my favourite robot vacuum cleaner to its lowest price ever

Shokz OpenFit 2 review: Perfect for runners, not for the masses

Shokz OpenFit 2+ review: A marked improvement for an incremental price increase

Shell introduces DLC Fluid S3 as data centers turn to liquid cooling for efficiency and thermal performance gains

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

El Salvador judge orders detention of prominent lawyer Ruth Lopez

Arrow Electronics at Bank of America Conference: Optimism Amid Recovery

Why giving your kid the silent treatment is ‘one of the worst types of punishment’

U.S. judge temporarily blocks deportation of family of Colorado attack suspect

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Security flaw in vBulletin forum software exploited by hackers

El Salvador judge orders detention of prominent lawyer Ruth Lopez

Arrow Electronics at Bank of America Conference: Optimism Amid Recovery

Why giving your kid the silent treatment is ‘one of the worst types of punishment’

U.S. judge temporarily blocks deportation of family of Colorado attack suspect

Leave a reply Cancel reply