CVE-2025-48828

high-risk

Published 2025-05-27

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Do I need to act?

73.7% chance of exploitation in next 30 days

EPSS score — higher than 26% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.0/10 Critical

NETWORK / HIGH complexity

Affected Products (1)

Vbulletin

Affected Vendors

Vbulletin

References (3)

Exploit https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Third Party Advisory https://kevintel.com/CVE-2025-48828

Broken Link https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

/ 100

high-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal