CVE-2011-10018

CRITICAL

myBB 1.6.4 - Unauthenticated Remote Code Execution via Collapsed Cookie Backdoor

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-10018. PoCs published by Metasploit, tdz, including Metasploit module exploits/unix/webapp/mybb_backdoor.

AI-analyzed exploit summary This exploit targets a backdoor in myBB 1.6.4, where a maliciously crafted cookie can execute arbitrary PHP code. The payload is encoded and sent via the 'collapsed' cookie parameter.

Description

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/17949

View Code ZIP pw:eip

This exploit targets a backdoor in myBB 1.6.4, where a maliciously crafted cookie can execute arbitrary PHP code. The payload is encoded and sent via the 'collapsed' cookie parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: myBB 1.6.4

No auth needed

Prerequisites: Target must be running myBB 1.6.4 with the backdoor present

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by tdz · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/mybb_backdoor.rb

View Code ZIP pw:eip

This Metasploit module exploits a backdoor in myBB 1.6.4 by injecting arbitrary PHP code via a maliciously crafted cookie. The payload is executed when the server processes the cookie, leading to remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: myBB 1.6.4

No auth needed

Prerequisites: Target must be running myBB 1.6.4 with the backdoor present

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Product exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb

Exploit exploit

https://www.exploit-db.com/exploits/17949

Third Party Advisory third-party-advisory

https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/

Vendor Advisory vendor-advisory patch

https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution

Scores

CVSS v3 9.8

EPSS 0.6812

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-912 CWE-94

Status published

Products (2)

mybb/mybb 1.6.4

myBB Group/Forum Software 1.6.4

Published Aug 13, 2025

Tracked Since Feb 18, 2026