CVE-2025-48828
Published: 27 May 2025
Summary
CVE-2025-48828 is a critical-severity Improper Protection of Alternate Path (CWE-424) vulnerability in Vbulletin Vbulletin. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Certain vBulletin versions are affected by a vulnerability in the template engine that permits arbitrary PHP code execution through abuse of Template Conditionals. Attackers can bypass existing security checks by supplying template code that uses an alternative PHP function invocation syntax, such as the "var_dump"("test") form, rather than the standard call syntax that the checks expect.
Remote, unauthenticated attackers can exploit the flaw over the network to achieve code execution with high impact on confidentiality, integrity, and availability. The issue was exploited in the wild in May 2025, consistent with its CVSS 3.1 score of 9.0.
Public analyses at the referenced URLs document the bypass technique and its consequences but do not detail official patches or mitigation steps. The EPSS score rose from an initially low value to a peak of 0.8138 on 2026-04-21 before receding to the current 0.7368, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28268
Vulnerability details
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks…
more
and execute arbitrary PHP code, as exploited in the wild in May 2025.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documenting requirements and authorizing remote access ensures proper protection of alternate paths.