CVE ID: CVE-2011-10018
CVSS v4: 10.0 Critical
Publish Date: August 13 2025
Last Updated: August 14 2025
TL;DR
myBB version 1.6.4 was released with an unauthorized backdoor embedded in the source code. This flaw allows remote, unauthenticated attackers to execute arbitrary PHP code via a specially crafted collapsed cookie, leading to full compromise of the web server in the context of the application.
Affected Versions
- myBB 1.6.4 (only). The backdoor was introduced during packaging and was not part of the intended application logic.
Vulnerability Details
- Type: Backdoor leading to arbitrary code injection (CWE 912, hidden functionality; CWE 94, code injection)
- Description: The malicious backdoor enables remote attackers to send a collapsed cookie that triggers arbitrary PHP code execution. No authentication is required, and exploitation results in full compromise of the web server.
Recommended Action
- Immediate update — if you are running myBB 1.6.4, upgrade to a clean, backdoor-free version such as 1.6.5 or later.
- Audit deployments — confirm that your installation was not tampered with; compare packaged files to the official myBB repository.
- Incident response — if you have used 1.6.4 in production, assume compromise, isolate the server, perform a forensic review, and rebuild from trusted sources.
Affected Environments
- Any site running myBB 1.6.4, especially public-facing forums, is at high risk and should be prioritized for immediate remediation.
TTP Mapping (MITRE ATT&CK)
- Execution / Privilege Escalation: Automatic code execution of attacker-supplied payload via HTTP (collapsed cookie), enabling unauthorized control of the application and host.