Critical Security Flaws Exploited in Popular Forum Software vBulletin
By Netvora Tech News
The National Institute of Standards and Technology (NIST), Qualys, and KEVIntel have announced that attackers are actively exploiting two critical vulnerabilities in the popular forum software vBulletin. The flaws, identified as CVE-2025-48827 and CVE-2025-48828, allow an unauthenticated attacker to remotely execute code on vulnerable systems.
Vulnerability Details
The impact of CVE-2025-48827 has been rated 10.0 out of 10, while CVE-2025-48828 has been rated 9.0. The issues are caused by a vulnerability in one of the API's used by vBulletin, as well as the template engine.
Affected Versions
The vulnerabilities affect vBulletin versions 5.0.0 to 6.0.3, and likely were patched last year in April, according to KEVIntel. The issues are believed to have been fixed in vBulletin 6.0.3 Patch Level 1, vBulletin 6.0.2 Patch Level 1, vBulletin 6.0.1 Patch Level 1, and vBulletin 5.7.5 Patch Level 3, which were released last year in April.
Recommendations for Forum Administrators
Forum administrators who have not updated their vBulletin software in over a year should be aware of the high risk of exploitation, according to KEVIntel. Qualys estimates that there are over 26,000 publicly accessible targets based on an online scan.
Prevention and Mitigation
The most effective way to prevent exploitation is to update to a patched version of vBulletin. Additionally, administrators can take steps to limit the attack surface by disabling unnecessary API calls and restricting access to the template engine.
- Update vBulletin to a patched version
- Disable unnecessary API calls
- Restrict access to the template engine
Comments (0)
Leave a comment