CVE-2025-48827: 
VBulletin vulnerability analysis and mitigation

CVE-2025-48827 affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The vulnerability was discovered in May 2025 and was publicly disclosed on May 23, 2025, with active exploitation observed in the wild (KarmaInSecurity, KEVIntel).

The vulnerability stems from the misuse of PHP's Reflection API within vBulletin's API controller logic, combined with changes in PHP 8.1 that allow protected methods to be invoked via ReflectionMethod::invoke(). The vulnerability can be exploited using the /api.php?method=protectedMethod pattern. The CVSS v3.1 score is 10.0 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (KarmaInSecurity).

The vulnerability allows unauthenticated attackers to bypass access controls and directly invoke protected methods that were never meant to be exposed externally. This can lead to Remote Code Execution (RCE) when combined with template engine vulnerabilities, potentially giving attackers complete control over affected vBulletin installations (KarmaInSecurity).

The vulnerability was likely patched in vBulletin version 6.0.4. Users are strongly advised to upgrade to the latest version of vBulletin (6.1.1) which is unaffected by this vulnerability. The patched versions include vBulletin 6.0.3 Patch Level 1, 6.0.2 Patch Level 1, 6.0.1 Patch Level 1, and 5.7.5 Patch Level 3 (KEVIntel Blog).

The vulnerability has gained significant attention in the security community, with multiple security researchers and platforms acknowledging its severity. It was quickly added to the KEVIntel (Known Exploited Vulnerabilities) database on May 27, 2025, highlighting its critical nature and active exploitation status (KEVIntel).