Cyber Resilience

CVE-2025-48828

CriticalPublic PoC

Published: 27 May 2025

Published
27 May 2025
Modified
25 June 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7368 98.8th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48828 is a critical-severity Improper Protection of Alternate Path (CWE-424) vulnerability in Vbulletin Vbulletin. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Certain vBulletin versions are affected by a vulnerability in the template engine that permits arbitrary PHP code execution through abuse of Template Conditionals. Attackers can bypass existing security checks by supplying template code that uses an alternative PHP function invocation syntax, such as the "var_dump"("test") form, rather than the standard call syntax that the checks expect.

Remote, unauthenticated attackers can exploit the flaw over the network to achieve code execution with high impact on confidentiality, integrity, and availability. The issue was exploited in the wild in May 2025, consistent with its CVSS 3.1 score of 9.0.

Public analyses at the referenced URLs document the bypass technique and its consequences but do not detail official patches or mitigation steps. The EPSS score rose from an initially low value to a peak of 0.8138 on 2026-04-21 before receding to the current 0.7368, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks…

more

and execute arbitrary PHP code, as exploited in the wild in May 2025.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vbulletin
vbulletin
6.0.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-424

Documenting requirements and authorizing remote access ensures proper protection of alternate paths.

References