CVE-2025-48828
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Analysis
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025.
Technical Context
PHP 8.1 introduced changes to reflection and method visibility handling that affect how vBulletin's API routing validates accessible methods. Protected methods on API controllers that should be unreachable by external requests become invocable through the /api.php?method=protectedMethod pattern. This bypasses intended access controls and exposes internal API functionality to unauthenticated users.
Affected Products
['vBulletin 5.0.0 through 5.7.5 (on PHP 8.1+)', 'vBulletin 6.0.0 through 6.0.3 (on PHP 8.1+)']
Remediation
Update to vBulletin 5.7.6 or 6.0.4. If immediate patching is not possible, restrict access to /api.php at the web server level. Monitor API access logs for requests to protected methods. Consider temporarily downgrading to PHP 8.0 as a mitigation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today