When criminals note that there is an unpatched vulnerability, expect more attacks to follow. A Russian-language forum recently picked up a report from SecurityLab.ru. It begins (translation):
Popular forums on vBulletin have once again been found to have holes through which arbitrary code can be executed directly on the server – without a login and password. We are talking about two critical vulnerabilities at once, which have received identifiers CVE-2025-48827 and CVE-2025-48828 . The first of them is already used in real attacks, and the second allows the chain to be completed to a full seizure of control over the system.
The vulnerabilities were discovered on May 23, 2025, by independent researcher Egidio Romano (EgiX), who published a detailed technical analysis describing the exploitation mechanisms. At the center of the entire structure are changes in the behavior of PHP since version 8.1 and errors in the logic of the vBulletin template engine. Together, they give an unexpected and dangerous result: remote, unauthenticated execution of arbitrary commands on the server.
Read more at SecurityLab.ru.
