Attacks exploiting maximum severity vBulletin vulnerability ongoing

BleepingComputer reports that popular open-source commercial PHP/MySQL-based forum software vBulletin has been impacted by a pair of critical flaws, including the maximum severity API method invocation issue, tracked as CVE-2025-48827.

Attempted exploitation of the vulnerability — which arose from vBulletin's improper PHP Reflection API usage that could facilitate completely remote unauthenticated code execution — was initially reported on May 26 by security researcher Ryan Dewhurst, who noted that the intrusions involved an earlier exploit released by Egidio Romano, who initially discovered the bug alongside the critical RCE issue, tracked as CVE-2025-48828. Users of vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the platform runs on PHP 8.1 or later have been urged to immediately apply last year's patches remediating both vulnerabilities or upgrade to the latest version 6.1.1. Such a development comes as widely used forums have been increasingly breached through the exploitation of significant vBulletin flaws over the years.