Back to KEVs

CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP...

Basic Information

CVE State: PUBLISHED
Reserved Date: May 27, 2025
Published Date: May 27, 2025
Last Updated: May 27, 2025
Vendor: vBulletin
Product: vBulletin
Description: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 0.07% (Percentile: 22.73%) as of 2025-05-29

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-05-26 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-05-23 00:00:00 UTC) Source

References

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce https://kevintel.com/CVE-2025-48827

Known Exploited Vulnerability Information

Source	Added Date
KEVIntel	2025-05-27 00:00:00 UTC

Recent Mentions

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Source: DarkWebInformer • Published: 2025-05-27 22:05:32 UTC

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Timeline

Proof of Concept Exploit Available

May 23, 2025
CVE ID Reserved

May 27, 2025
CVE Published to Public

May 27, 2025
Added to KEVIntel

May 27, 2025