Skip to content Dark Web Informer - Cyber Threat Intelligence

CVE-2011-10018: myBB 1.6.4 Backdoor Arbitrary PHP Code Execution

CVE ID: CVE-2011-10018
CVSS v4: 10.0 Critical
Publish Date: August 13 2025
Last Updated: August 14 2025


TL;DR

myBB version 1.6.4 was released with an unauthorized backdoor embedded in the source code. This flaw allows remote, unauthenticated attackers to execute arbitrary PHP code via a specially crafted collapsed cookie, leading to full compromise of the web server in the context of the application.


Affected Versions

  • myBB 1.6.4 (only). The backdoor was introduced during packaging and was not part of the intended application logic.

Vulnerability Details

  • Type: Backdoor leading to arbitrary code injection (CWE 912, hidden functionality; CWE 94, code injection)
  • Description: The malicious backdoor enables remote attackers to send a collapsed cookie that triggers arbitrary PHP code execution. No authentication is required, and exploitation results in full compromise of the web server.

  1. Immediate update — if you are running myBB 1.6.4, upgrade to a clean, backdoor-free version such as 1.6.5 or later.
  2. Audit deployments — confirm that your installation was not tampered with; compare packaged files to the official myBB repository.
  3. Incident response — if you have used 1.6.4 in production, assume compromise, isolate the server, perform a forensic review, and rebuild from trusted sources.

Affected Environments

  • Any site running myBB 1.6.4, especially public-facing forums, is at high risk and should be prioritized for immediate remediation.

TTP Mapping (MITRE ATT&CK)

  • Execution / Privilege Escalation: Automatic code execution of attacker-supplied payload via HTTP (collapsed cookie), enabling unauthorized control of the application and host.

References

Latest