Forgot to Update — Lost Everything: vBulletin Bug Turns Thousands of Forums into Easy Prey
One template and everything crashes into oblivion. Thanks, PHP 8.1.
Critical vulnerabilities have once again been discovered in popular forums running on vBulletin, allowing remote code execution directly on the server — without needing login credentials. These include two critical flaws identified as CVE-2025-48827 and CVE-2025-48828. The first is already being exploited in the wild, while the second can escalate the attack chain to full system takeover.
The vulnerabilities were disclosed on May 23, 2025, by independent researcher Egidio Romano (EgiX), who published a detailed technical analysis explaining how they work. At the heart of the issue lies a change in PHP behavior starting with version 8.1 and logical flaws in vBulletin’s templating engine. Combined, these create a dangerous situation: unauthenticated remote command execution on the server.
The first flaw involves incorrect use of the Reflection API. Previously, calling protected methods of objects via reflection required explicitly bypassing access restrictions. But in PHP 8.1, certain calls no longer need that workaround — if the code wasn’t updated accordingly, protected methods can now be called directly.
vBulletin contains many such calls. For example, via the vulnerable method replaceAdTemplate, an attacker can inject a specially crafted template directly through a URL request. The second flaw, CVE-2025-48828, allows bypassing unsafe function filters using PHP hacks like calling variables as functions (${'assert'} etc.). This tricks the system into accepting malicious code as valid input.
The combination of these two bugs forms a powerful exploit: a single request is enough to inject and execute arbitrary commands on the server with the privileges of the web user — usually www-data on Linux. That opens the door to dropping backdoors, running scripts, and digging deeper into the system.
Just three days after Romano’s publication, on May 26, another researcher, Ryan Dewhurst, reported real-world exploitation attempts. After analyzing logs from his honeypot servers, he identified suspicious requests targeting the vulnerable endpoint /ajax/api/ad/replaceAdTemplate. These bore clear signs of malicious PHP injection attempts.
One attacker was even traced — the attacks originated from IP addresses registered in Poland. The request payloads showed efforts to upload a remote web shell to enable persistent browser-based access and command execution.
So far, only the first vulnerability (CVE-2025-48827) has been observed in live attacks, but the published proof-of-concept strongly implies that the second is next. All the necessary pieces are already in place: a public PoC, and even prebuilt templates for the Nuclei scanner, which appeared on May 24. In other words, the attack scenario is already packaged and ready to deploy.
What’s especially concerning is that these bugs affect not only the latest releases but also a wide range of versions, from vBulletin 5.0.0 to 5.7.5, and from 6.0.0 to 6.0.3, when running on PHP 8.1+. Patches to fix these issues were actually released last year — Patch Level 3 for 5.7.5 and Patch Level 1 for all 6.x versions. However, the updates came with little fanfare, and many admins were unaware of their critical nature.
As a result, many forums remain at risk. Even those running the latest major versions but skipping minor patches are vulnerable. This is especially dangerous for high-traffic forums, where an attack could lead to user data theft, content tampering, and full system compromise.
vBulletin remains one of the most widely used PHP/MySQL forum engines, powering thousands of sites worldwide. Its modular architecture and mobile API support make it attractive for both small communities and large commercial platforms. But this same flexibility creates a wide attack surface — yet another reminder of how important it is to regularly patch even seemingly minor components.
vBulletin has previously been the target of major breaches. Past vulnerabilities allowed attackers to access databases, post malicious ads, and use the platform as a launchpad into broader systems. These latest bugs fall into the same category: easy to exploit, highly destructive when used smartly.
vBulletin developers strongly recommend that forum admins urgently apply security updates and, if possible, upgrade to version 6.1.1, where these issues are fully addressed. Otherwise, their sites remain wide open to attacks via templates, APIs, and even core-level exploits.
