CVE-2011-10018 – CVE-2011-10018 is a critical backdoor vulnerabi... (How to Fix)

Q: What is the severity of CVE-2011-10018?

CVE-2011-10018 has a CVSS score of 9.8 (CRITICAL). CVE-2011-10018 is a critical backdoor vulnerability in myBB 1.6.4 that allows unauthenticated remote attackers to execute arbitrary PHP code via manipulated cookies. This results in complete compromise of the web server running the vulnerable myBB installation. All users running myBB 1.6.4 are affected.

📋 TL;DR

CVE-2011-10018 is a critical backdoor vulnerability in myBB 1.6.4 that allows unauthenticated remote attackers to execute arbitrary PHP code via manipulated cookies. This results in complete compromise of the web server running the vulnerable myBB installation. All users running myBB 1.6.4 are affected.

💻 Affected Systems

Products:

myBB

Versions: Version 1.6.4 only

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only the 1.6.4 release distributed between October 4-6, 2011 contains the backdoor. Earlier 1.6.4 releases and other versions are not affected.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining full control over the web server, allowing data theft, malware deployment, and use as a pivot point for further network attacks.

🟠

Likely Case

Remote code execution leading to website defacement, data exfiltration, and installation of persistent backdoors or cryptocurrency miners.

🟢

If Mitigated

No impact if the vulnerable version is not deployed or if proper network segmentation and web application firewalls block the exploit.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and has public exploits, making internet-facing systems immediate targets.

🏢 Internal Only: MEDIUM - While less exposed, internal systems could still be compromised through phishing or internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available, simple cookie manipulation required. The backdoor was intentionally inserted during packaging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.6.5 or re-download 1.6.4 after October 6, 2011

Vendor Advisory: https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/

Restart Required: No

Instructions:

1. Immediately upgrade to myBB 1.6.5 or later. 2. If staying on 1.6.4, re-download from official source after October 6, 2011. 3. Replace all myBB files with clean version. 4. Verify no backdoor files remain.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing the malicious cookie pattern used in exploitation

File Integrity Monitoring

linux

Monitor for unauthorized PHP file modifications in myBB directories

find /path/to/mybb -name "*.php" -exec md5sum {} \; > baseline.md5
md5sum -c baseline.md5 2>/dev/null | grep -v OK

🧯 If You Can't Patch

Immediately take the affected system offline until it can be patched
Implement strict network segmentation to isolate the vulnerable system from critical assets

🔍 How to Verify

Check if Vulnerable:

Check if running myBB 1.6.4 and verify file hashes against known clean versions. Look for suspicious code in inc/class_core.php around line 284.

Check Version:

grep -i 'mybb version' inc/init.php | head -1

Verify Fix Applied:

Verify version is 1.6.5 or later, and check that inc/class_core.php does not contain the backdoor code (eval base64_decode).

📡 Detection & Monitoring

Log Indicators:

Unusual cookie values in web logs, particularly with base64 encoded content
Unexpected PHP file creation or modification in myBB directories
Suspicious eval() function calls in application logs

Network Indicators:

HTTP requests with manipulated 'collapsed' cookie parameter
Outbound connections from web server to unknown IPs

SIEM Query:

web_access_logs WHERE uri CONTAINS 'index.php' AND cookie CONTAINS 'collapsed' AND cookie MATCHES '.*[A-Za-z0-9+/]{50,}=*.*'

📊 Metadata

CVE ID: CVE-2011-10018

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 53% exploit probability (97.9th percentile)

Published: August 13, 2025

Last Updated: August 14, 2025

🔗 References

https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/ Vendor Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb Product
https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/ Third Party Advisory
https://www.exploit-db.com/exploits/17949 Exploit
https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution Third Party Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb Product
https://www.exploit-db.com/exploits/17949 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-10018, you might also want to check these: