Patch now! Attacks on web forums based on vBulletin

Following attacks on web forums created with vBulletin, attackers execute malicious code and compromise servers. The two vulnerabilities, which have now been closed, are considered “critical”. However, web forums created with vBulletin are only vulnerable if PHP 8.1 is installed.

The danger

A security researcher who discovered the vulnerabilities (CVE-2025-48827, CVE-2025-48828) warns of the attacks. The first vulnerability is classified with the maximum possible CVSS score of 10 out of 10. In an article, he provides detailed information on the vulnerabilities.

The security problem can be found in the PHP Reflection API with PHP 8.1. In this context, attackers can manipulate areas that are actually protected, bypass security functions and ultimately execute malicious code.

The researcher states that attackers are currently only exploiting the first vulnerability to install a backdoor. Attacks should be possible without authentication. The extent of the attacks is currently unclear. According to him, versions 5.0.0 up to and including 5.7.5 and 6.0.0 up to and including 6.0.3 are vulnerable.

Secure your server

To prevent attacks, web admins must ensure that vBulletin 5.7.5 patch level 3 or 6.x patch level 1 is installed. The security updates have been available for more than a year, but have obviously not yet been installed across the board.

Web forums based on vBulletin are still widespread, and attackers continue to exploit security vulnerabilities to compromise servers. In 2021, cybercriminals distributed a blackmail Trojan via one such vulnerability.

(des)