CVE-2025-48827
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Analysis
vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025.
Technical Context
The vBulletin template engine supports conditional expressions that are evaluated server-side. Security checks prevent direct function calls, but PHP's alternative invocation syntax ("function_name"("argument")) is not filtered. Attackers craft template code using this syntax to execute arbitrary PHP functions including system(), file_get_contents(), and eval(). The exploitation has been observed in the wild since May 2025.
Affected Products
['vBulletin 5.0.0 through 5.7.5', 'vBulletin 6.0.0 through 6.0.3']
Remediation
Update to vBulletin 5.7.6 or 6.0.4 immediately. Review template customizations for suspicious expressions. Audit user-controlled template fields for injection attempts. Monitor PHP error logs for template evaluation failures that may indicate exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today