CVE-2025-48827

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48827
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/ Broken Link
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce Exploit Third Party Advisory
https://kevintel.com/CVE-2025-48827 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
History

25 Jun 2025, 16:46

Type Values Removed Values Added
References () https://kevintel.com/CVE-2025-48827 - () https://kevintel.com/CVE-2025-48827 - Third Party Advisory
References () https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/ - () https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/ - Broken Link
References () https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce - () https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce - Exploit, Third Party Advisory
CPE cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
First Time Vbulletin
Vbulletin vbulletin
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

27 May 2025, 18:15

Type Values Removed Values Added
References
  • () https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/ -

27 May 2025, 13:15

Type Values Removed Values Added
CWE CWE-424
Summary vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern. vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
References
  • () https://kevintel.com/CVE-2025-48827 -

27 May 2025, 04:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-27 04:15

Updated : 2025-06-25 16:46

NVD link : CVE-2025-48827

Mitre link : CVE-2025-48827

JSON object : View

Products Affected

vbulletin

  • vbulletin
CWE

No CWE.