CVE-2025-48827
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 27, 2025
- Published Date
- May 27, 2025
- Last Updated
- May 27, 2025
- Vendor
- vBulletin
- Product
- vBulletin
- Description
- vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
- Tags
- Score
- 10.65% (Percentile: 92.94%) as of 2025-06-20
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- total
php
CVSS Scores
CVSS v3.1
10.0 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
SSVC Information
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| KEVIntel | 2025-05-27 00:00:00 UTC |
Recent Mentions
vBulletin Exploits (CVE-2025-48827, CVE-2025-48828), (Tue, Jun 3rd)
Source: SANS Internet Storm Center • Published: 2025-06-03 20:58:01 UTC
Last week, Egidio Romano disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most common commercially supported platforms to create a bulletin board. The vulnerability is remarkable as it exemplifies some common issues with patching and keeping your software up to date.
CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin
Source: DarkWebInformer • Published: 2025-05-27 22:05:32 UTC
CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin
Timeline
-
Proof of Concept Exploit Available
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel