""The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.""
""Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.""
""Sysdig said it observed the first exploitation attempt targeting the vulnerability within 9 hours and 41 minutes of it being publicly disclosed, with a credential theft operation executed in minutes.""
""The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during the time window.""
CVE-2026-39987 is a pre-authenticated remote code execution vulnerability in Marimo, impacting all versions up to 0.20.4. The vulnerability allows attackers to gain a full PTY shell via the /terminal/ws WebSocket endpoint, which lacks proper authentication validation. Sysdig reported the first exploitation attempt occurred within 9 hours and 41 minutes of public disclosure. Attackers accessed the honeypot system, conducted reconnaissance, and attempted to harvest sensitive data, including SSH keys and the .env file, without installing additional malicious payloads.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]