vBulletin - Authentication Bypass (CVE-2025-48827)

CVE-2025-48827 is a serious vulnerability in vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later, allowing unauthenticated attackers to invoke protected API controller methods. This flaw can be exploited remotely, potentially leading to unauthorized access or manipulation of sensitive forum functions, as observed in active attacks in May 2025.

CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-48827 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-48827 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-48827 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by sending POST requests to the /ajax/api/ad/wrapAdTemplate endpoint, bypassing authentication to invoke protected methods and potentially execute arbitrary system commands.