FlagThis - #exploit

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.

The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure.

vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits.


References :

• cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
• securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
• infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
• Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution
• securityaffairs.com: Two flaws in vBulletin forum software are under attack
• BleepingComputer: Hackers are exploiting critical flaw in vBulletin forum software.
• www.scworld.com: Attacks exploiting maximum severity vBulletin vulnerability ongoing

Classification:

• HashTags: #vBulletin #RCE #Exploit
• Company: vBulletin
• Target: vBulletin forum users
• Product: vBulletin
• Feature: Remote Code Execution
• Malware: CVE-2025-48827, CVE-2025-48828
• Type: Vulnerability
• Severity: Critical

A staggering $223 million has been stolen from Cetus Protocol, a decentralized exchange operating on the Sui blockchain. This exploit represents another significant blow to investor confidence in the decentralized finance (DeFi) space. The incident occurred on May 22, 2025, prompting Cetus to initiate an emergency pause of its smart contract upon detecting suspicious activity. The swift action was aimed at preventing further losses, but the initial damage was substantial, with attackers successfully extracting a massive sum of digital assets.

The Cetus Protocol team acted quickly after discovering the breach. They announced that $162 million of the stolen cryptocurrency had been frozen, leaving approximately $61 million still unaccounted for. The project has also announced a $5 million bounty for anyone who can provide relevant information that leads to the identification and arrest of the attacker. In addition, Cetus Protocol is offering a deal to the hacker, promising to cease all legal action if the stolen funds are returned.

This incident has raised concerns about the true decentralization of Cetus Protocol, with some questioning how funds could be frozen so readily. The exploit highlights the ongoing challenges and risks associated with DeFi platforms, even those built on newer blockchain ecosystems like Sui. The investigation into the theft is ongoing, with Cetus Protocol working with law enforcement agencies in hopes of recovering the remaining stolen funds and bringing the perpetrators to justice.


References :

• DataBreaches.Net: Bill Toulas reports: The decentralized exchange Cetus Protocol announced that hackers have stolen $223 million in cryptocurrency and is offering a deal to stop all legal action if the funds are returned. The project also announced a $5 million bounty to anyone providing relevant information leading to the identification and arrest of the attacker. Cetus...
• thecyberexpress.com: In the ever-volatile world of decentralized finance (DeFi), yet another major exploit has shaken investor confidence—this time with a staggering $223 million theft from Cetus Protocol, a key player in the Sui blockchain ecosystem. On May 22, Cetus an emergency pause of its smart contract following the detection of “an incident†impacting the protocol. Within hours, the scope of the breach became alarmingly clear: attackers had siphoned off roughly $223 million in digital assets. While the team acted swiftly to lock down the contract and halt further losses, the damage had already been done.
• x.com: An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $162 million of the funds had been frozen, leaving around $61 million unaccounted for. This led some to question how decentralized the project truly is if the funds can be frozen in such a way.
• The DefendOps Diaries: Explore the $223M Cetus Protocol heist, highlighting DeFi security vulnerabilities and the need for robust protection measures.
• x.com: Cetus Protocol an emergency pause of its smart contract following the detection of “an incident†impacting the protocol.

Classification:

• HashTags: #CetusProtocol #DeFi #Exploit
• Company: Cetus Protocol
• Target: Cetus Protocol
• Attacker: Hacker(s)
• Product: Cetus Protocol
• Feature: DeFi Exploit
• Type: Hack
• Severity: Major