{"uuid": "09bb682a-81e7-496e-bc9d-ba96274b1f0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-48827", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/235", "content": "Don't Call That \"Protected\" Method: Dissecting an N-Day vBulletin RCE\n\n\ud83d\udc64 by Egidio Romano\n\nThe article analyzes a critical Unauthenticated Remote Code Execution vulnerability (CVE-2025-48827) in vBulletin, which becomes exploitable when running on PHP 8.1 or newer.\n\nThe vulnerability stems from vBulletin\u2019s misuse of ReflectionMethod::invoke(), which in PHP 8.1+ no longer blocks access to protected methods by default. As a result, attackers can remotely trigger sensitive internal functions originally meant to be inaccessible and achieve code execution on the server.\n\n\ud83d\udcdd Contents:\n\u25cf The Vulnerability\n\u25cf The vBulletin Vulnerability\n\u25cf Exploiting vBulletin: Path to Pre-Auth RCE\n\u25cf Conclusion\n\nhttps://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce", "creation_timestamp": "2025-05-27T08:10:30.000000Z"}