CVE-2011-10018: myBB 1.6.4 Backdoor Arbitrary PHP Code Execution

CVE ID: CVE-2011-10018
CVSS v4: 10.0 Critical
Publish Date: August 13 2025
Last Updated: August 14 2025

TL;DR

myBB version 1.6.4 was released with an unauthorized backdoor embedded in the source code. This flaw allows remote, unauthenticated attackers to execute arbitrary PHP code via a specially crafted collapsed cookie, leading to full compromise of the web server in the context of the application.

Affected Versions

• myBB 1.6.4 (only). The backdoor was introduced during packaging and was not part of the intended application logic.

Vulnerability Details

• Type: Backdoor leading to arbitrary code injection (CWE 912, hidden functionality; CWE 94, code injection)
• Description: The malicious backdoor enables remote attackers to send a collapsed cookie that triggers arbitrary PHP code execution. No authentication is required, and exploitation results in full compromise of the web server.

Recommended Action

1. Immediate update — if you are running myBB 1.6.4, upgrade to a clean, backdoor-free version such as 1.6.5 or later.
2. Audit deployments — confirm that your installation was not tampered with; compare packaged files to the official myBB repository.
3. Incident response — if you have used 1.6.4 in production, assume compromise, isolate the server, perform a forensic review, and rebuild from trusted sources.

Affected Environments

• Any site running myBB 1.6.4, especially public-facing forums, is at high risk and should be prioritized for immediate remediation.

TTP Mapping (MITRE ATT&CK)

• Execution / Privilege Escalation: Automatic code execution of attacker-supplied payload via HTTP (collapsed cookie), enabling unauthorized control of the application and host.

References

• NVD entry for CVE-2011-10018
• CVEDetails summary
• GitHub Advisory: myBB 1.6.4 backdoor disclosure