CVE-2011-10018
Published: 13 August 2025
Summary
CVE-2011-10018 is a critical-severity Code Injection (CWE-94) vulnerability in Mybb Mybb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies authenticity of software components like the MyBB 1.6.4 package to prevent installation of tampered versions containing unauthorized backdoors introduced during packaging.
Identifies, reports, and corrects known flaws such as the CVE-2011-10018 backdoor through timely testing and deployment of patches or upgrades.
Employs integrity verification tools to detect unauthorized code modifications like the embedded backdoor in MyBB source code and prevent exploitation.
NVD Description
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and…
more
was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.
Deeper analysisAI
CVE-2011-10018 is an unauthorized backdoor embedded in the source code of MyBB version 1.6.4, a forum software package. The backdoor allows remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This flaw was introduced during packaging and was not part of the intended application logic, affecting installations running this specific version.
The vulnerability can be exploited by any remote attacker with network access, requiring no authentication, privileges, or user interaction. Successful exploitation results in full compromise of the web server under the context of the web application, enabling complete control including confidentiality, integrity, and availability impacts, as reflected in its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It is associated with CWE-94 (Code Injection) and CWE-912 (Hidden Trust Zone).
Advisories and references, including the MyBB blog post on the 1.6.4 security vulnerability, Secunia advisory 46300, Vulncheck advisory on the backdoor, and public exploits on Exploit-DB (17949) and a Metasploit module, document the issue and provide details on patches or remediation.
Exploitation tools like the Metasploit module and Exploit-DB entry indicate real-world exploit availability since 2011, though the CVE was formally published in the NVD in 2025.
Details
- CWE(s)