News
vBulletin Bugged Again: Critical Exploits Hit Popular Forum Software, Active Attacks Confirmed
<p data-start="457" data-end="817">Two critical vulnerabilities in vBulletin, one of the most widely used online forum platforms, are being actively exploited, raising alarms across the cybersecurity world. The bugs, now tracked as CVE-2025-48827 and CVE-2025-48828, hit hard — with one scoring a perfect 10 on the CVSS scale. The exploit is already out there, and attackers are wasting no time.</p>
<p data-start="819" data-end="1102">Discovered by researcher Egidio Romano, aka EgiX, the flaws can give remote attackers full access to vulnerable servers — no login required. The twist? It only affects setups running PHP 8.1 or newer, and many admins didn’t get the memo when silent patches were rolled out last year.</p>
<h2 data-start="1104" data-end="1149">Bugs with Bite: What the Flaws Actually Do</h2>
<p data-start="1151" data-end="1277">These aren’t just minor hiccups or theoretical issues. They&#8217;re real, dangerous, and being used right now. Let’s break it down.</p>
<p data-start="1279" data-end="1513">CVE-2025-48827 abuses a quirk introduced in PHP 8.1 — a change in how the Reflection API handles method visibility. In simpler terms? Protected functions that were supposed to stay off-limits can now be poked and prodded from outside.</p>
<p data-start="1515" data-end="1707">The second flaw, CVE-2025-48828, targets vBulletin’s template engine. By injecting malicious snippets into the <code data-start="1626" data-end="1645">replaceAdTemplate</code> function, attackers can sneak past internal security filters.</p>
<p data-start="1709" data-end="1856">Both bugs can be chained together. The result? Remote code execution. That&#8217;s bad. Think: shell access. System commands. Your forum, fully hijacked.</p>
<p data-start="1884" data-end="2161">Security researcher Ryan Dewhurst, best known for his work on attack detection tools, confirmed that threat actors have already started poking at vulnerable endpoints. His honeypot logs picked up strange traffic — all aimed at the telltale <code data-start="2124" data-end="2155">ajax/api/ad/replaceAdTemplate</code> path.</p>
<p data-start="1884" data-end="2161"><a href="https://www.theibulletin.com/wp-content/uploads/2025/05/vbulletin-forum-security-vulnerability-screenshot.jpg"><img class="aligncenter size-full wp-image-57562" src="https://www.theibulletin.com/wp-content/uploads/2025/05/vbulletin-forum-security-vulnerability-screenshot.jpg" alt="vbulletin forum security vulnerability screenshot" width="1326" height="761" /></a></p>
<h2 data-start="2163" data-end="2207">Who&#8217;s Affected and Why This Is a Big Deal</h2>
<p data-start="2209" data-end="2412">vBulletin powers thousands of forums, from small hobby communities to massive online brands. If your setup includes versions 5.0.0 to 5.7.5 or 6.0.0 to 6.0.3 and runs on PHP 8.1 or above, you’re at risk.</p>
<p data-start="2414" data-end="2705">Now here’s the kicker — the flaws may have been patched quietly last year. Not exactly front-page news at the time. The company released updates for vBulletin 6.x (Patch Level 1) and 5.7.5 Patch Level 3. But guess what? Tons of forum admins didn’t upgrade. Some didn’t even know they had to.</p>
<p data-start="2737" data-end="2930">Another problem? The proof-of-concept is public. Romano explained it all in a blog post on May 23. Detailed, step-by-step. And just a day later, Nuclei templates to scan for the flaw went live.</p>
<p data-start="2932" data-end="2978">It didn’t take long for attackers to catch on.</p>
<h2 data-start="2980" data-end="3016">Attackers Already Sniffing Around</h2>
<p data-start="3018" data-end="3203">Dewhurst&#8217;s honeypots were the canaries in the coal mine. He started seeing requests from a source traced back to Poland. The goal? Upload PHP backdoors. Execute commands. Gain foothold.</p>
<p data-start="3205" data-end="3227">Here’s what stood out:</p>
<ul data-start="3229" data-end="3409">
<li data-start="3229" data-end="3296">
<p data-start="3231" data-end="3296">The attacker used Romano’s original exploit almost line-for-line.</p>
</li>
<li data-start="3297" data-end="3350">
<p data-start="3299" data-end="3350">They targeted servers specifically running PHP 8.1.</p>
</li>
<li data-start="3351" data-end="3409">
<p data-start="3353" data-end="3409">The <code data-start="3357" data-end="3376">replaceAdTemplate</code> function was a consistent focus.</p>
</li>
</ul>
<p data-start="3411" data-end="3575">So far, there&#8217;s no confirmation that anyone&#8217;s managed to fully chain the bugs to get RCE in the wild. But let’s be real — it’s probably already happening somewhere.</p>
<p data-start="3577" data-end="3606">Not all scans are just scans.</p>
<h2 data-start="3608" data-end="3647">A History of vBulletin Security Woes</h2>
<p data-start="3649" data-end="3791">This isn’t vBulletin’s first rodeo with serious security problems. The platform’s flexibility, while a strength, also makes it a juicy target.</p>
<p data-start="3793" data-end="3962">From 2019’s catastrophic zero-day RCE (remember that?) to multiple patch races in 2020 and 2021, the software has been a magnet for exploit hunters and black hats alike.</p>
<p data-start="3964" data-end="4213">vBulletin&#8217;s architecture — a complex mix of PHP, MySQL, AJAX endpoints, and custom templates — means that vulnerabilities can crop up in unexpected places. That modularity, while powerful, comes with a trade-off: it’s harder to lock everything down.</p>
<p data-start="4251" data-end="4381">Add to that the fact that many installations are self-hosted and poorly maintained, and you&#8217;ve got a recipe for mass exploitation.</p>
<h2 data-start="4383" data-end="4416">What Site Owners Should Do Now</h2>
<p data-start="4418" data-end="4539">If you&#8217;re running a vBulletin-powered site, the message is simple: check your version, and patch ASAP. Not tomorrow. Now.</p>
<p data-start="4541" data-end="4578">Here’s what you need to look out for:</p>
<div class="_tableContainer_16hzy_1">
<div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1">
<table class="w-fit min-w-(--thread-content-width)" data-start="4580" data-end="4927">
<thead data-start="4580" data-end="4648">
<tr data-start="4580" data-end="4648">
<th data-start="4580" data-end="4606" data-col-size="sm">Version Range</th>
<th data-start="4606" data-end="4618" data-col-size="sm">Affected?</th>
<th data-start="4618" data-end="4648" data-col-size="sm">Safe Patch Level</th>
</tr>
</thead>
<tbody data-start="4718" data-end="4927">
<tr data-start="4718" data-end="4787">
<td data-start="4718" data-end="4744" data-col-size="sm">5.0.0 &#8211; 5.7.5</td>
<td data-start="4744" data-end="4756" data-col-size="sm">Yes</td>
<td data-start="4756" data-end="4787" data-col-size="sm">5.7.5 Patch Level 3</td>
</tr>
<tr data-start="4788" data-end="4857">
<td data-start="4788" data-end="4814" data-col-size="sm">6.0.0 &#8211; 6.0.3</td>
<td data-start="4814" data-end="4826" data-col-size="sm">Yes</td>
<td data-start="4826" data-end="4857" data-col-size="sm">6.x Patch Level 1</td>
</tr>
<tr data-start="4858" data-end="4927">
<td data-start="4858" data-end="4884" data-col-size="sm">6.1.1 and above</td>
<td data-start="4884" data-end="4896" data-col-size="sm">No</td>
<td data-start="4896" data-end="4927" data-col-size="sm">Already safe</td>
</tr>
</tbody>
</table>
<div class="sticky end-(--thread-content-margin) h-0 self-end select-none">
<div class="absolute end-0 flex items-end"></div>
</div>
</div>
</div>
<p data-start="4955" data-end="5078">If you&#8217;re not sure which version you&#8217;re running — that&#8217;s a red flag in itself. Get someone to check. These bugs don&#8217;t wait.</p>
<p data-start="5080" data-end="5199">Remember, no login is required to trigger the exploit. Just a URL. Just one line of template code. That’s all it takes.</p>

Circle Stock Surges After Fiserv Deal Signals Stablecoins May Finally Be Going Mainstream
CoinMarketCap Supply Chain Attack Leaves Crypto Users Reeling After $43,000 Wallet Drain
Solana Slips as Bitcoin Soars: Can the High-Speed Crypto Still Catch Up?
Gordon Ramsay Fainted at Son’s Birth While Ed Sheeran Played in the Background
As AI hype grabs headlines, these two tech titans are doing more than talking — they’re cashing in
The Last of Us Season 3: Clarity, Chaos, and Characters We Thought Were Gone
Einstein and the Block Universe: Is Your Future Already Set?
XRP Eyes $3 as Crypto Markets See Whiplash Recovery and Bitcoin Roars Past $111K
Claude 4 Cuts Coding Errors by 25%, Gets Faster, Says Vibe Startup Lovable
Call of Duty: Black Ops 6 Faces Backlash Over New In-Game Ads for Premium Skins
-
News4 months agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News3 months agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
-
News4 months agoApple Shuts Down ADP for UK iCloud Users Amid Government Backdoor Demands
