A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators.

The flaw does not have an identifier and is trivial to exploit with a single HTTP request. It impacts phpBB versions 4.0.0-a2 or 3.3.16 and below.

Researchers at application security company Aikido found the bug on June 2nd and reported it through the developer’s HackerOne Vulnerability Disclosure Program.

phpBB responded to the report immediately and addressed the problem on June 6 in version 3.3.17 of the software.

According to Aikido, the flaw was introduced to phpBB’s codebase 10 years ago, impacting all versions of the 3.x and 4.x release branches, up to 3.3.16 and 4.0.0-a2. For the 4.x release, there’s no fix available yet.

phpBB is a PHP-based free and open-source web forum platform that enjoyed peak popularity in the 2000s and early 2010s. Today, it is still powering thousands of forums worldwide.

Aikido says that exploiting the bug requires no special configuration, as it can be triggered on the default settings.

“The vulnerability is exploitable in the default configuration and requires no special knowledge,” reads Aikido’s report.

“If you are on version 4.0.0-a2 or 3.3.16 and below, upgrade immediately to master (no safe 4.x release yet) and 3.3.17, respectively, to avoid compromise.”

Administrator access could allow attackers to view all private messages stored on the forum, create, modify, or delete content and user accounts, impersonate staff, or deface the sites.

Picking targets is also straightforward, as the member list on phpBB forums is public by default.

Aikido notes that remote code execution (RCE) is not possible due to a separate password check that protects the Admin Control Panel.

The researchers withheld all technical details for now to allow forum administrators enough time to apply the security updates and even contacted administrators of large phpBB-based forums to alert them directly.

One thing to note is that the update may cause forums using OAuth authentication to break, because the OAuth redirect handler has moved to a new location, but this should be a simple fix in most cases.

Aikido promised to publish the full details of the flaw in a future report, but did not provide a specific timeline.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation.

The U.S. Department of Justice announced Thursday that 44-year-old Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and 2022.

According to prosecutors, Lytvynenko and his co-conspirators deployed Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin ransom payments.

According to the DOJ, Lytvynenko admitted to joining the Conti conspiracy in approximately September 2021 and possessing data stolen from eight U.S. victims and four overseas victims.

He also admitted to joining a team run by another Conti conspirator, where he worked on coding a “loader,” a type of malware used to load software needed to carry out attacks.

The Conti ransomware operation was one of the most prolific cybercrime groups active at the time, targeting hospitals, businesses, schools, and government agencies worldwide.

Court documents state that Conti targeted more than 1,000 victims worldwide and collected over $150 million in ransom payments.

The guilty plea follows Lytvynenko’s extradition from Ireland to the United States after his arrest in July 2023. Lytvynenko now faces a maximum sentence of 20 years in prison.

The Conti ransomware gang emerged from the Ryuk cybercrime group and was closely tied to the TrickBot malware syndicate.

The group became notorious for large-scale attacks against healthcare organizations, governments, and enterprises before shutting down in 2022, following the leak of its internal chats and increased law enforcement pressure.

Security researchers believe former Conti members later splintered into other ransomware groups, including BlackCat, Black Basta, ZEON, Hive, Quantum, BlackByte, Karakurt, and the Silent Ransom Group.

In September 2023, the U.S. and the United Kingdom also sanctioned and charged nine Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations for attacks against more than 900 victims worldwide.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty to participating in some of those attacks in federal court Wednesday, the Justice Department said.

Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, admitted he joined the prolific cybercrime group in September 2021 and held data on 12 victims, including eight based in the United States. The 44-year-old told the court he developed malware that Conti used in some of its attacks, according to officials. 

“The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage,” A. Tysen Duva, assistant attorney general of the Justice Department’s criminal division, said in a statement.

Lytvynenko and his co-conspirators used the ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 states, Washington, Puerto Rico and about 31 countries, according to the Justice Department. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.

The Ukrainian national pleaded guilty to conspiracy to commit wire fraud and faces up to 20 years in prison upon sentencing, which is scheduled for Sept. 10. 

Lytvynenko was arrested in Ireland in July 2023, extradited to the United States in October 2025, and remains in federal custody in Tennessee where at least three of his victims are based. He left Ukraine in 2022 and obtained temporary protective status in Ireland, residing in Cork at the time of his arrest. 

Prosecutors said Lytvynenko and his co-conspirators extorted about $634,000 in Bitcoin from two victims in Tennessee, including an undisclosed government entity that resulted in the compromise of a sheriff’s department, local emergency medical services and a local police department. According to an indictment that was unsealed last fall, Lytvynenko and his co-conspirators also leaked data they stole from another Tennessee-based victim after it refused to pay a $3 million ransom demand.

Four of Lytvynenko’s alleged co-conspirators — Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov — were indicted in 2023 in the same federal court for crimes related to their suspected involvement in Conti attacks from 2020 to 2022. 

Authorities said Lytvynenko engaged in cybercrime after Conti disbanded and its members splintered off into new groups, adding that he “was asleep but within arms’ reach of an open laptop running Cobalt Strike” at the time of his arrest.

At one point, Conti was among the most prolific ransomware groups globally, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

“Lytvynenko’s guilty plea is a significant step toward holding cyber criminals accountable for the damage they inflict on victims worldwide,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement “Lytvynenko profited from fear and coercion, conspiring to use Conti ransomware to extort victims and steal their data.”