CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP...

Basic Information

CVE State
PUBLISHED
Reserved Date
May 27, 2025
Published Date
May 27, 2025
Last Updated
May 27, 2025
Vendor
vBulletin
Product
vBulletin
Description
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
Tags
php

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score
10.65% (Percentile: 92.94%) as of 2025-06-20

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-05-26 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-05-23 00:00:00 UTC) Source

Known Exploited Vulnerability Information

Source Added Date
KEVIntel 2025-05-27 00:00:00 UTC

Recent Mentions

vBulletin Exploits (CVE-2025-48827, CVE-2025-48828), (Tue, Jun 3rd)

Source: SANS Internet Storm Center • Published: 2025-06-03 20:58:01 UTC

Last week, Egidio Romano disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most common commercially supported platforms to create a bulletin board. The vulnerability is remarkable as it exemplifies some common issues with patching and keeping your software up to date.

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Source: DarkWebInformer • Published: 2025-05-27 22:05:32 UTC

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

Timeline

  • Proof of Concept Exploit Available

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel