A ten-year-old authentication bypass vulnerability in the phpBB forum software has been patched, potentially allowing unauthorized access to any user account including administrators. The flaw, which went undetected for a decade, could have enabled attackers to compromise forum operations and steal sensitive user data.
The vulnerability is considered critical due to the severity of authentication bypass attacks. While BleepingComputer did not provide a CVSS score, the bug's long persistence and ability to grant full administrative access indicate a high-impact threat. Active exploitation details were not confirmed, but the widespread use of phpBB for community forums makes this a significant concern.
The attack vector involves manipulating the authentication process to bypass login credentials. The exploit mechanism appears tied to the session handling or password validation logic in older versions of the software. Specific indicators of compromise (IoCs) were not disclosed, but signs may include unusual account logins from unexpected IPs or newly created accounts with admin privileges.
phpBB has released a security update addressing the vulnerability. Administrators are strongly urged to upgrade their installations immediately to the latest version. The patch is available through the official phpBB website, and users running affected versions should apply it without delay. No workaround was provided, making the patch essential for protection.
Attribution for the discovery was not specified in the source. The bug's decade-long presence highlights challenges in maintaining legacy open-source software security. This incident underscores the need for regular code audits and rapid patch deployment in widely used platforms like phpBB.