CVE-2025-48827

high-risk

Published 2025-05-27

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Do I need to act?

77.6% chance of exploitation in next 30 days

EPSS score — higher than 22% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Vbulletin

Affected Vendors

Vbulletin

References (3)

Exploit https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Third Party Advisory https://kevintel.com/CVE-2025-48827

Broken Link https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal