A critical, unauthenticated remote code execution vulnerability in vBulletin forum software is now being actively exploited.
The vulnerability, which impacts vBulletin versions 5.0.0 through 6.0.3, has been assigned CVE-2025-48827 and CVE-2025-48828 and is now being actively targeted by threat actors, marking it as a Known Exploited Vulnerability (KEV).
Despite patches being available for over a year, numerous installations remain vulnerable, creating an attractive target for malicious actors seeking to compromise web forums.
The vulnerability centers around the replaceAdTemplate functionality in vBulletin’s AJAX API endpoint, specifically targeting the path ajax/api/ad/replaceAdTemplate.
This unauthenticated remote code execution (RCE) flaw allows attackers to execute arbitrary commands on vulnerable servers without requiring any authentication credentials.
The vulnerability was originally disclosed by Karma(In)Security on May 23, 2025, complete with a proof-of-concept (PoC) exploit.
The technical implementation of the exploit involves injecting malicious vBulletin template syntax into HTTP POST requests.
The payload structure utilizes vBulletin’s conditional template system, with attackers leveraging the following code pattern:
This payload effectively creates a backdoor mechanism that allows remote command execution through the passthru() PHP function, enabling attackers to execute system commands on the underlying server infrastructure.
Organizations running unpatched versions face significant risk, as the vulnerability affects a broad range of vBulletin installations.
The patched versions include vBulletin 6.0.3 Patch Level 1, vBulletin 6.0.2 Patch Level 1, vBulletin 6.0.1 Patch Level 1, and vBulletin 5.7.5 Patch Level 3. The current secure version is vBulletin 6.1.1, which remains unaffected by this vulnerability.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-48827 CVE-2025-48828 | vBulletin 5.0.0 – 6.0.3 (unpatched versions) | Remote Code Execution (RCE) | Unauthenticated access to vulnerable endpoint | 9.8 (Critical) |
Cybersecurity researcher Ryan Dewhurst has documented concrete evidence of threat actors exploiting this vulnerability in production environments.
Honeypot data analysis revealed multiple exploitation attempts originating from IP address 195.3.221.137, based in Poland.
The attacks were first detected on May 26, 2025, with four distinct exploitation attempts recorded between 08:23:28.193 UTC and 08:24:33.429 UTC.
The attackers employed a standardized approach, utilizing a User-Agent header that mimics legitimate browser traffic:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36.
This obfuscation technique helps the malicious requests blend in with normal web traffic, making detection more challenging for security monitoring systems.
Additional confirmation comes from the SANS Internet Storm Center dshield logs, which documented reconnaissance probes targeting the vulnerable endpoint beginning May 25, 2025.
The rapid progression from vulnerability disclosure to active exploitation demonstrates the speed at which threat actors can weaponize publicly available security research, particularly when Nuclei templates become available for automated scanning tools.
The initial patch was released by vBulletin on April 1, 2024, more than a year before public disclosure.
However, the vulnerability remained dormant until Karma(In)Security published their research on May 23, 2025, followed immediately by the creation of automated exploitation tools.
The rapid escalation included a Nuclei template release, enabling automated vulnerability scanning across internet-facing vBulletin installations.
Within 48 hours, security researchers observed both reconnaissance activities and active exploitation attempts, highlighting the critical importance of timely patch management for web-facing applications.
Organizations should immediately audit their vBulletin installations and apply available security updates to prevent compromise.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S.…
Google has issued an urgent security update for its Chrome web browser to address three…
Cybersecurity professionals are facing an unprecedented acceleration in threat actor capabilities as the average breakout…
A sophisticated malware campaign has emerged in the npm ecosystem, utilizing an innovative steganographic technique…
Zloader, a sophisticated Zeus-based modular trojan that first emerged in 2015, has undergone a significant…
A sophisticated malware campaign has emerged that leverages fake online speed test applications to deploy…