myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.
The backdoor was introduced into the MyBB 1.6.4 distribution package during the packaging stage — it was not part of the original application logic. An attacker can execute arbitrary PHP code by injecting an appropriately prepared payload into a specially constructed cookie header named 'collapsed'. The exploit does not require authentication or any user interaction, and code execution occurs in the context of web application permissions on the server.
An attacker gains the ability to execute arbitrary PHP code on the server, resulting in complete takeover of the web server, including access to application data, database, and the possibility of further lateral movement in the infrastructure.
MyBB should be immediately updated to a version higher than 1.6.4 or patches indicated by the vendor in the official security notice (blog.mybb.com) should be applied. All installations based on version 1.6.4 should be treated as fully compromised and a server security audit should be conducted.
MyBB version 1.6.4 — only this version was distributed with the embedded backdoor
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XMybb
APPMybb1.6.4
Related vulnerabilities
Installer RCE on settings file write in MyBB before 1.8.22.
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the config...
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified...
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinB...
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge S...