- Security researchers find two vbulentine faults
- Both are essential in gravity and can be chained for RCE
- One of the faults is actively exploited
A vulnerability of critical security found in the popular Vbuletin Forum software is mistreated in nature, experts said.
Cybersecurity researcher Ryan Dewhurst, who claims to have seen attempts to exploit in the wild, says that vulnerability can in theory be used to grant the execution capacities of the attackers.
Dewhurst says that the bug, followed as CVE-2025-48827, is described as a lack of invocation of the API method, with a gravity score of 10/10 (critic). It affects the VBULETIN versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3, operating on PHP 8.1 and later.
Doxxing Stern
Dewhurst said he had seen attempts at his honey pot for the first time on May 26. The attacks are from Poland, he added, stressing that the POCs were available for a few days at this stage.
It should also be mentioned that the bug has been spotted for the first time by the security researcher Egidio Romano (EGIX), who also observed a vulnerability “Template conditionals in the model”, followed as CVE-2025-48828.
The latter has a 9.0 / 10 (critical) severity score and grants the execution capacities of the attackers. These two can be chained, but so far, the researchers have not seen the chain in the wild.
According to Bleeping CompomputeThe bug has probably been calmly corrected, when the level of the 1st -chest (for all versions of 6) and level 3 (for version 5.7.5) were published. The publication claims that many sites remain in danger because not all administrators are diligent in terms of fixes.
VBULETIN, Bleeping Compompute More constraints is one of the most used PHP / MYSQL commercial forum platforms, fueling thousands of online communities in the world.
Among other things, it owes its popularity to its modular conception, which makes it both flexible and complex. This also makes him a little more exposed to threats.
