Back to KEVs

CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP...

Basic Information

CVE State: PUBLISHED
Reserved Date: May 27, 2025
Published Date: May 27, 2025
Last Updated: May 27, 2025
Vendor: vBulletin
Product: vBulletin
Description: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 10.65% (Percentile: 92.93%) as of 2025-06-24

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-26 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-05-23 00:00:00 UTC) Source

References

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce https://kevintel.com/CVE-2025-48827

Known Exploited Vulnerability Information

Source	Added Date
KEVIntel	2025-05-27 00:00:00 UTC

Recent Mentions

vBulletin Exploits (CVE-2025-48827, CVE-2025-48828), (Tue, Jun 3rd)

Source: SANS Internet Storm Center • Published: 2025-06-03 20:58:01 UTC

Last week, Egidio Romano disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most common commercially supported platforms to create a bulletin board. The vulnerability is remarkable as it exemplifies some common issues with patching and keeping your software up to date.

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Source: DarkWebInformer • Published: 2025-05-27 22:05:32 UTC

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-48827.yaml	2025-07-09 15:30:23 UTC

Timeline

Proof of Concept Exploit Available

May 23, 2025
CVE ID Reserved

May 27, 2025
CVE Published to Public

May 27, 2025
Added to KEVIntel

May 27, 2025
Detected by Nuclei

July 09, 2025