Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Rapid Weaponization: Marimo RCE Flaw CVE-2026-39987 Targeted Under 10 Hours Post-Disclosure
Advertisements

The window for patching critical vulnerabilities is closing faster than ever. Recent telemetry from cybersecurity researchers reveals that a critical remote code execution (RCE) flaw in Marimo, a popular open-source Python notebook used for data science, was exploited by threat actors in less than 10 hours following its public disclosure.

The Root Cause: WebSocket Authentication Failure

The vulnerability, tracked as CVE-2026-39987 with a CVSS score of 9.3, stems from a security oversight in the Marimo terminal interface. While most of the application’s endpoints utilize strict authentication via a validation function, the /terminal/ws WebSocket endpoint was found to bypass these checks entirely. This flaw allows an unauthenticated remote attacker to establish a connection and obtain a full interactive shell (PTY) on any exposed Marimo instance. All versions of the software up to and including 0.20.4 are vulnerable to this bypass.

Observed Exploitation in the Wild

According to findings from Sysdig, the first recorded exploitation attempt occurred exactly 9 hours and 41 minutes after the vulnerability was announced. Remarkably, the attacker was able to develop a working exploit based solely on the advisory description, as no public proof-of-concept (PoC) code was available at the time. The activity, captured via a honeypot system, suggests a human operator manually navigating the compromised environment rather than an automated botnet. The actor connected multiple times over a 90-minute period, indicating a systematic approach to target exploration.

Attacker Methodology and Data Harvesting

The primary goal of the threat actor appeared to be credential theft and reconnaissance rather than immediate disruption or resource hijacking. During the observed sessions, the attacker focused on the following actions:

  • Exploration of the local file system to identify sensitive directories.
  • Targeted harvesting of .env files containing environment variables and secrets.
  • Searching for and attempting to read SSH keys to facilitate lateral movement.
  • Checking for the presence of other threat actors to ensure exclusive access.

Notably, the attacker did not install common payloads such as cryptocurrency miners or persistent backdoors, focusing instead on high-value data acquisition.

Conclusion and Mitigation

This incident underscores the reality that even niche data science tools are high-priority targets for attackers monitoring vulnerability disclosures. Organizations using Marimo must prioritize upgrading to version 0.23.0 immediately to address this flaw. As the time between disclosure and exploitation continues to shrink, the security of internet-facing development and analysis platforms remains a critical component of enterprise defense.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading