What is the CVSS score of CVE-2025-48828?

CVE-2025-48828 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 73.7%.

Which versions of PHP are affected by CVE-2025-48828?

Organizations using vBulletin face critical risk from CVE-2025-48828 rated CVSS 9.0.

Is there a public PoC exploit available for CVE-2025-48828?

Yes, a public proof-of-concept exploit is available for CVE-2025-48828. Prioritise patching immediately. EPSS: 73.7%.

How to fix or mitigate CVE-2025-48828?

Within 24 hours: Identify all affected systems running vBulletin and apply vendor patches immediately. Monitor vendor channels for patch availability.

PHP CVE-2025-48828

CRITICAL

Improper Protection of Alternate Path (CWE-424)

2025-05-27 cve@mitre.org

PHP RCE Vbulletin

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:44 vuln.today

PoC Detected

Jun 25, 2025 - 16:32 vuln.today

Public exploit code

CVE Published

May 27, 2025 - 04:15 nvd

CRITICAL 9.0

DescriptionNVD

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

AnalysisAI

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025.

Technical ContextAI

PHP 8.1 introduced changes to reflection and method visibility handling that affect how vBulletin's API routing validates accessible methods. Protected methods on API controllers that should be unreachable by external requests become invocable through the /api.php?method=protectedMethod pattern. This bypasses intended access controls and exposes internal API functionality to unauthenticated users.

RemediationAI

Update to vBulletin 5.7.6 or 6.0.4. If immediate patching is not possible, restrict access to /api.php at the web server level. Monitor API access logs for requests to protected methods. Consider temporarily downgrading to PHP 8.0 as a mitigation.

CVE-2025-48828 vulnerability details – vuln.today

Back

PHP CVE-2025-48828

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code