CRITICAL🇵🇱 Wersja polska

CVE-2025-48827

CVSS 10.0v3.1pub. 2025-05-27upd. 2025-06-25

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

🤖 AI Analysis
How it works

The problem occurs only in environments running PHP 8.1 or newer, where the protection mechanism for protected API methods stops working properly. An attacker can send a request to the /api.php endpoint with a parameter invoking a protected controller method (e.g., /api.php?method=protectedMethod) without any authentication. vBulletin does not properly verify access permissions for these methods in the mentioned versions on PHP 8.1+, resulting in unauthorized code execution on the server side. The vulnerability is classified as CWE-424, which is improper protection of an alternative path.

Impact

An unauthenticated attacker can gain full control over the server, including reading and modifying data (C:H/I:H), as well as causing service unavailability (A:H) with effects extending beyond the application scope (S:C). In practice, this means the possibility of remote code execution (RCE) on the server hosting the forum.

Mitigation & patch

Immediately apply patches available from the vendor according to the references. Due to active exploitation in production environments, immediate action is recommended — until the update is applied, consider temporary restriction of access to the /api.php endpoint at the firewall or web server level.

Who is affected

vBulletin versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3 running on PHP 8.1 or newer

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vbulletin

    APP
    Vbulletin
    5.0.0 – 5.7.56.0.0 – 6.0.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-17496CRITICAL9.8⚠ KEVten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...

CVE-2019-16759CRITICAL9.8⚠ KEVten sam produkt

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/re...

CVE-2025-48828CRITICAL9.0PL ✓ten sam produkt

RCE w vBulletin poprzez Template Conditionals — wykonanie dowolnego kodu PHP

CVE-2023-25135CRITICAL9.8ten sam produkt

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted H...

CVE-2020-7373CRITICAL9.8ten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...