The open source product contained remote PHP code execution vulnerabilities in the zip, tgz and bz2 archives of the software.
The mandatory fix was delivered in version 2.8.11 of OpenX Source.
OpenX, which counts the New York Post, Coca Cola, CBS Interactive and EA among its customers, said its paid offerings were not affected.
"Recently we became aware of a security issue ... whereby the binary distribution of v. 2.8.10 was compromised, and two of the files were replaced with two new modified files that contained a remote code execution vulnerability," senior application security engineer Nick Soracco said in a statement.
"This vulnerability only applies to the free downloadable open source product, OpenX Source.
"We are taking this opportunity to remind the OpenX Source community that it’s critical to the safe maintenance and operation of any software that you not only maintain a current version of the software, but also take steps to regularly audit accounts that have access to your system."
He encouraged users to report possible further security flaws to the company.
The company said in an advisory that the following commands should be run within the top level OpenX directory to determine if the compromised release was installed.
The code below indicates the compromised application:
The substring below within log files indicates that the backdoor was under active exploitation:
The remote PHP code comes in as a POST parameter and was not seen in server logs by default.