Security researchers have confirmed the first in-the-wild exploitation of a critical remote code execution vulnerabilities affecting multiple versions of vBulletin forum software.
The vulnerabilities, now tracked as CVE-2025-48827 and CVE-2025-48828, has been actively exploited by threat actors despite patches being available for over a year.
The unauthenticated remote code execution vulnerabilities affects vBulletin versions 5.0.0 through 6.0.3, a popular PHP/MySQL forum software package that has been in use since 2000.
Karma(In)Security publicly disclosed the vulnerability on May 23, 2025, along with a proof-of-concept exploit, noting that the vulnerabilities was likely patched in April 2024.
The affected versions include all releases up to vBulletin 6.0.3, while the patched versions are vBulletin 6.0.3 Patch Level 1, vBulletin 6.0.2 Patch Level 1, vBulletin 6.0.1 Patch Level 1, and vBulletin 5.7.5 Patch Level 3.
The latest version, vBulletin 6.1.1, remains unaffected by this vulnerability. The critical Vulnerabilities resides in the “ajax/api/ad/replaceAdTemplate” endpoint, allowing attackers to execute arbitrary code on vulnerable systems without authentication.
vBulletin Vulnerability
Cybersecurity researchers detected active exploitation attempts originating from a Polish IP address (195.3.221.137) targeting the vulnerable vBulletin endpoint.
The attacks were first observed on May 26, 2025, with four separate exploitation attempts recorded between 08:23:28 UTC and 08:24:33 UTC.
The attackers used a specific HTTP POST payload containing the malicious code <vb:if condition='"passthru"($_POST["cmd"])'></vb:if>, which appears to be based on the original researcher’s proof-of-concept rather than the Nuclei template that became available on May 24, 2025.
The exploitation attempts used a standard Chrome user agent string to avoid detection.
Additional confirmation of scanning activity comes from SANS Internet Storm Center dshield logs, which show probes for the vulnerable vBulletin endpoint beginning on May 25, 2025.
This widespread scanning activity suggests that multiple threat actors are actively seeking out vulnerable vBulletin installations to exploit.
Mitigations
Organizations running vBulletin forum software should immediately verify their installation versions and apply available patches.
Any vBulletin installation that has not been updated within the past year is potentially vulnerable to this critical remote code execution Vulnerabilities .
The rapid progression from public disclosure to active exploitation highlights the urgency of maintaining current patch levels.
Within just three days of the vulnerability disclosure, a Nuclei template was released, and scanning activity began appearing in security logs worldwide.
By May 26, 2025, confirmed exploitation attempts were detected, demonstrating how quickly threat actors can weaponize publicly disclosed vulnerabilities.
System administrators should prioritize updated to the latest patched versions or vBulletin 6.1.1 to ensure protection against this vulnerability.
Given the critical nature of the flaw and confirmed in-the-wild exploitation, this vulnerability is expected to be added to the Known Exploited Vulnerabilities catalog once formal tracking is established.
The incident serves as a reminder of the importance of timely security updates, particularly for internet-facing applications like forum software that may not receive regular administrative attention despite their continued operation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
