Critical vBulletin Zero-Day Exploited in the Wild: What Admins Need to Know Now

Copyright & Fact Checker

Cybersecurity experts have confirmed a dangerous wave of real-world attacks targeting vBulletin, one of the most widely used forum platforms on the web. Two critical vulnerabilities tracked as CVE-2025-48827 and CVE-2025-48828 are now being actively exploited, despite patches being available for over a year. This breach reaffirms the risks of leaving legacy software unpatched and underscores how quickly attackers can move once a flaw is made public.

vBulletin Under Attack: What You Need to Know

Security researchers have officially confirmed that hackers are actively exploiting two major remote code execution (RCE) vulnerabilities in the popular vBulletin forum software. The flaws affect versions from 5.0.0 up to 6.0.3, which have been widely deployed across websites since the early 2000s. The vulnerabilities reside in the endpoint ajax/api/ad/replaceAdTemplate, allowing attackers to run arbitrary code without needing to authenticate.

Karma(In)Security publicly disclosed the issues on May 23, 2025, along with a proof-of-concept (PoC) that likely helped attackers weaponize the exploit. Although patched versions were released as early as April 2024, thousands of sites likely remain unpatched. The officially fixed versions include vBulletin 6.0.3 Patch Level 1, 6.0.2 Patch Level 1, 6.0.1 Patch Level 1, and 5.7.5 Patch Level 3. The latest secure version is vBulletin 6.1.1.

On May 26, 2025, exploitation attempts were observed originating from a Polish IP address (195.3.221.137). The attackers used a POST request with a malicious payload that mirrors the original PoC:

“`html

“`

This code allows execution of arbitrary commands from the attacker, effectively handing them full control of the server. Researchers noted that the user-agent mimicked a standard Chrome browser to avoid basic detection tools.

SANS Internet Storm Center also reported increasing scans of the vulnerable endpoint starting May 25. These scans indicate that several threat groups are actively hunting for outdated vBulletin installations. Within just 72 hours of the vulnerability being disclosed, a Nuclei scanning template was released, accelerating the scanning activity globally.

Organizations running vBulletin are strongly urged to verify their version immediately and apply the available patches. Any forum software not updated in the past year is likely at risk. Admins are also advised to upgrade to version 6.1.1 for maximum protection.

This fast-moving attack cycle—disclosure, scanning, exploitation—illustrates how important timely patching is. The flaw is expected to be added soon to the CISA Known Exploited Vulnerabilities (KEV) catalog, which means it could become a regulatory compliance issue for many organizations.

What Undercode Say:

The recent exploitation of

The fact that the flaw exists in an endpoint related to advertising (replaceAdTemplate) is particularly alarming. These endpoints are rarely monitored or hardened compared to core authentication or database functions. This provides attackers with a low-profile entry point into potentially high-value systems.

vBulletin has long been a favorite target for attackers due to its widespread usage and PHP/MySQL architecture, which is easier to reverse engineer. Add to that the slow patch cycles for many forum administrators and you have a near-perfect storm. Forums are often forgotten background infrastructure, still running on autopilot years after launch. In many cases, admins are no longer available or involved, which leaves these platforms dangerously exposed.

The observed attacker using a Polish IP and Chrome user-agent string is a clear attempt to blend in with legitimate traffic. This shows growing sophistication even among low-level hackers, who are now routinely using evasion tactics. The malicious payload itself is relatively simple, relying on basic PHP functions like passthru() to execute shell commands. But simplicity doesn’t mean low impact—in the right hands, that’s all you need to dump databases, upload malware, or pivot deeper into an organization’s infrastructure.

The situation also shows the power of open-source scanning tools like Nuclei. With a template released just one day after the PoC, threat actors had everything they needed to automate detection and exploitation at scale. This kind of tooling shortens the attacker’s window to hours, not weeks.

The call to action is loud and clear: administrators must be proactive. Any vBulletin installation that hasn’t been updated to one of the patched versions—or better, to 6.1.1—is in danger. And this is not just about forum content. These platforms often store user data, IP logs, email addresses, and even OAuth credentials. The potential for secondary breaches is very real.

Looking ahead, we can expect these vulnerabilities to be weaponized further. Exploits may be bundled into botnets, ransomware kits, or sold on the dark web. The early appearance of scanning activity in dshield logs confirms broad interest from the hacker community. The longer systems remain unpatched, the more likely it is they will be compromised.

Fact Checker Results ✅

The vulnerabilities CVE-2025-48827 and CVE-2025-48828 are officially confirmed and documented
Exploitation was observed less than three days after disclosure, with IP and payload details matching reports
The latest version, vBulletin 6.1.1, is currently immune to this attack and should be used immediately 🛡️

Prediction 🔮

If past incidents are any indicator, we can expect a surge in automated bot attacks targeting unpatched vBulletin forums throughout June 2025. This vulnerability is likely to be exploited at scale in ransomware campaigns or defacement attacks. Admins who delay patching risk becoming part of the next major data breach headline. As vBulletin continues to be used in legacy environments, long-term vigilance and proactive patching will be essential.