Get all your news in one place.

100’s of premium titles.
One app.

Get all your news in one place.

100’s of premium titles. One news app.

TechRadar

Sead Fadilpašić

Security flaw in vBulletin forum software exploited by hackers

BleepingComputer

Forum animation.

Security researchers find two flaws in vBulletin
Both are critical in severity, and can be chained for RCE
One of the flaws is being actively exploited

A critical security vulnerability found in the popular forum software vBulletin is being abused in the wild, experts have claimed.

Cybersecurity researcher Ryan Dewhurst, who claims to have seen exploitation attempts in the wild, says the vulnerability can in theory be used to grant the attackers remote code execution (RCE) capabilities.

Dewhurst says the bug, tracked as CVE-2025-48827, is described as an API method invocation flaw, with a severity score of 10/10 (critical). It affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3, running on PHP 8.1 and later.

Doxxing Stern

Dewhurst said that he first saw exploitation attempts in his honeypot on May 26. The attacks originated in Poland, he added, stressing that PoCs were available for a few days at this point.

It is also worth mentioning that the bug was first spotted by security researcher Egidio Romano (EgiX), who also observed a “Template Conditionals in the template engine” vulnerability, tracked as CVE-2025-48828.

This one has a severity score of 9.0/10 (critical), and grants the attackers remote code execution (RCE) capabilities. These two can allegedly be chained together, but so far, the researchers haven’t seen the chain in the wild.

According to BleepingComputer, the bug was probably patched quietly, when Patch Level 1 (for all versions of the 6) and Patch Level 3 (for version 5.7.5) were released. The publication claims that many sites remain at risk since not all admins are diligent when it comes to patching.

vBulletin, BleepingComputer further stresses, is one of the most widely used commercial PHP/MySQL-based forum platforms, powering thousands of online communities globally.

It owes its popularity, among other things, to its modular design, which makes it both flexible and complex. It also makes it somewhat more exposed to threats.

You might also like

Conti ransomware group officially shuts down - but probably not for long
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sign up to read this article

Read news from 100’s of titles, curated specifically for you.

Already a member? Sign in here

Top stories on inkl right now

Zelenskyy urges US and Europe to ‘act decisively’ after three killed in Kyiv drone attack – Europe live

Zelenskyy urges US and Europe to ‘act decisively’ after three killed in Kyiv drone attack – Europe live

Russia used more than 400 drones and 40 missiles in an assault which ‘targeted almost all of Ukraine’

The Guardian - UK

Record number of ebike fires in UK prompts renewed risk warnings

Record number of ebike fires in UK prompts renewed risk warnings

Fire services responded to 211 ebike and e-scooter fires in 2024 as London film brigade warns of growing risk

The Guardian - UK

Australian bouncy castle operator acquitted in accident that killed six children

Australian bouncy castle operator acquitted in accident that killed six children

Families of victims express disbelief over verdict

The Independent UK

Trump travel ban comes as little surprise amid barrage of draconian restrictions

Trump travel ban comes as little surprise amid barrage of draconian restrictions

President had cued up ban in January order and, despite exemptions, policy will separate families and harm people fleeing crises

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

A judge tells federal agencies they can't enforce anti-trans bias policies against Catholic groups

A judge tells federal agencies they can't enforce anti-trans bias policies against Catholic groups

A federal judge has ruled that two federal agencies cannot punish Catholic employers and health care providers if they refuse, for religious reasons, to provide gender-affirming care to transgender patients or won’t provide health insurance coverage for such care to their workers

The Independent UK

Lopez out long term with a shoulder strain

Lopez out long term with a shoulder strain

Twins starting pitcher Pablo Lopez out long term with a shoulder strain. Lopez is expected to be gone two to three months.

The Sports Daily

Related Stories

Top stories on inkl right now

Zelenskyy urges US and Europe to ‘act decisively’ after three killed in Kyiv drone attack – Europe live

Zelenskyy urges US and Europe to ‘act decisively’ after three killed in Kyiv drone attack – Europe live

Russia used more than 400 drones and 40 missiles in an assault which ‘targeted almost all of Ukraine’

The Guardian - UK

Record number of ebike fires in UK prompts renewed risk warnings

Record number of ebike fires in UK prompts renewed risk warnings

Fire services responded to 211 ebike and e-scooter fires in 2024 as London film brigade warns of growing risk

The Guardian - UK

Australian bouncy castle operator acquitted in accident that killed six children

Australian bouncy castle operator acquitted in accident that killed six children

Families of victims express disbelief over verdict

The Independent UK

Trump travel ban comes as little surprise amid barrage of draconian restrictions

Trump travel ban comes as little surprise amid barrage of draconian restrictions

President had cued up ban in January order and, despite exemptions, policy will separate families and harm people fleeing crises

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

A judge tells federal agencies they can't enforce anti-trans bias policies against Catholic groups

A judge tells federal agencies they can't enforce anti-trans bias policies against Catholic groups

A federal judge has ruled that two federal agencies cannot punish Catholic employers and health care providers if they refuse, for religious reasons, to provide gender-affirming care to transgender patients or won’t provide health insurance coverage for such care to their workers

The Independent UK

Lopez out long term with a shoulder strain

Lopez out long term with a shoulder strain

Twins starting pitcher Pablo Lopez out long term with a shoulder strain. Lopez is expected to be gone two to three months.

The Sports Daily

Our Picks

Dakota Johnson says she once sent gorilla poo to a friend’s ex following a break-up

‘You can order any kind, any size,’ claimed the actor

The Independent UK

'The Secret Lives of Mormon Wives' Is Getting a Reunion Special. Here's Everything We Know

Here's everything we know about the upcoming special.

Stop Believing These 8 Air Conditioner Myths Before Summer Starts

As temperatures rise, many homeowners rely on air conditioners to keep their homes cool. However, several persistent myths about air conditioning can lead to inefficient usage, higher energy bills, and unnecessary wear on your system. Understanding the truth behind these misconceptions can help you optimize your AC’s performance and save…

After losing "eight or nine teeth" on season 1, Squid Game creator says he's lost two more making season 3 of the Netflix show: "I haven't put them back in yet"

Squid Game director Hwang Dong-hyuk lost several teeth making the hit Netflix show

These Are the Fragrances Celebrities Swear By

"I use it several times a day. I can't get enough."

Walton Goggins thinks our obsession with his “feud” with Aimee Lou Wood was “all so ridiculous” and he’s not wrong!

Finally, we have an answer.

Fourteen days free

Download the app

One app. One membership.
100+ trusted global sources.

Download on the AppStore

Get it on Google Play