CVE-2025-48827

Name of the Vulnerable Software and Affected Versions vBulletin versions 5.0.0 through 5.7.5 vBulletin versions 6.0.0 through 6.0.3

Description vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are affected by an issue allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. This is demonstrated by the /api.php?method=protectedMethod pattern. The vulnerability stems from improper handling of API method invocation combined with changes in PHP 8.1's Reflection API behavior. Specifically, the ReflectionMethod::invoke() function in PHP 8.1 and later no longer blocks access to protected methods by default. Attackers can exploit this to trigger sensitive internal functions and achieve remote code execution (RCE). The issue has been exploited in the wild since May 2025, with approximately 42,500+ services found to be potentially affected annually. The vulnerability can be exploited through the /ajax/api/[controller]/[method] endpoints, utilizing the routestring parameter. A specific example involves the replaceAdTemplate method within the vB Api Ad controller, where a malicious template can be uploaded and subsequently executed via a crafted request.

Recommendations vBulletin versions 5.0.0 through 5.7.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. vBulletin versions 6.0.0 through 6.0.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability.