CVE-2025-48827 Information

Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers’ methods when running on PHP 8.1 or later as demonstrated by the /api.php?method=protectedMethod pattern as exploited in the wild in May 2025.

Reference

https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/ https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce https://kevintel.com/CVE-2025-48827