CVE-2025-48827

CRITICAL

10.0

Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Details CVE

Score CVSS v3.110.0

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie5/27/2025

Derniere modification6/25/2025

Sourcenvd

Observations honeypot0

Produits affectes

vbulletin:vbulletin

Faiblesses (CWE)

CWE-424

References

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce(cve@mitre.org)

https://kevintel.com/CVE-2025-48827(cve@mitre.org)

https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.