Exploit Developed Without a PoC, Attacks Begin in Under 10 Hours
Cloud security firm Sysdig has revealed that a threat actor constructed a functional exploit for a critical vulnerability in Marimo — an open source reactive notebook for Python — and launched attacks just 9 hours and 41 minutes after the flaw was publicly disclosed. The speed of exploitation is particularly notable because no proof-of-concept (PoC) code had been released at the time; the attacker derived their working exploit directly from the advisory's description alone.
Marimo is designed to keep code, outputs, and program state mutually consistent, and has accumulated approximately 20,000 stars on GitHub, reflecting its popularity in the Python development community.
The Vulnerability: CVE-2026-39987
On April 8, Marimo's maintainers disclosed CVE-2026-39987, which carries a CVSS score of 9.3 — placing it firmly in the critical-severity tier. The vulnerability is an unauthenticated remote code execution (RCE) flaw rooted in a missing authentication check in the platform's terminal WebSocket endpoint.
The core problem lies in an inconsistency between how different WebSocket endpoints handle authentication. As Marimo's maintainers explained:
"Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification."
Because the /terminal/ws endpoint skips authentication entirely, any unauthenticated attacker who connects to it gains a full interactive shell on the target system. From there, arbitrary system command execution becomes trivially possible, creating a severe risk for any exposed Marimo instance.
How the Attack Unfolded
Sysdig captured the attack sequence through a honeypot deployment. The timeline of the intrusion was remarkably compact:
- The attacker connected directly to the vulnerable terminal WebSocket endpoint.
- Approximately two minutes later, manual reconnaissance of the compromised environment began.
- Six minutes after that, the threat actor returned and began exfiltrating files containing credentials.
- The attacker also attempted to read every file in the targeted directory and actively searched for SSH keys.
- The entire operation concluded within three minutes of the exfiltration phase beginning.
Sysdig observed exploitation activity originating from a single IP address. However, an additional 125 IP addresses were involved in preparatory reconnaissance activities, including port scanning and HTTP probing, indicating that the broader threat actor infrastructure was actively mapping attack surface before moving in.
No PoC Required: Advisory-Driven Exploitation
One of the most alarming aspects of this incident is that the attacker did not wait for or rely on publicly available exploit code. According to Sysdig:
"The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment."
This underscores a growing trend in which detailed vulnerability advisories — even those published without accompanying PoC code — provide sufficient information for capable threat actors to develop their own exploits rapidly. The sub-10-hour window between disclosure and active exploitation leaves virtually no time for defenders relying solely on patch deployment cycles.
Affected Versions and Remediation
All Marimo releases up to and including version 0.20.4 are affected by CVE-2026-39987. Marimo's maintainers have addressed the flaw, and users are strongly urged to update to version 0.23.0 or newer, which contains the necessary patches.
Broader Implications for Open Source Security
This incident highlights several compounding risks in the open source ecosystem. Popular tools with large community followings — Marimo's 20,000 GitHub stars signal meaningful adoption — attract attacker attention precisely because of their reach. When a critical flaw emerges in such a tool, the potential victim pool is substantial.
The speed of exploitation also reinforces the importance of patch prioritization based on exploit complexity. CVE-2026-39987 required no authentication and could be triggered remotely, two factors that dramatically lower the bar for adversaries. When such vulnerabilities are disclosed, the assumption that defenders have days or weeks to patch before exploitation begins no longer holds.
- Patch immediately: Organizations running any Marimo version through 0.20.4 should upgrade to 0.23.0 or later without delay.
- Audit exposure: Verify whether any Marimo instances are accessible from untrusted networks, particularly the
/terminal/wsendpoint. - Monitor for indicators: Given that 125 IPs were observed in reconnaissance, network defenders should review logs for unusual WebSocket connection attempts and unauthorized credential file access.
Sysdig's findings serve as a stark reminder that the window between vulnerability disclosure and active exploitation continues to shrink — and that advisory text alone can be enough to arm a determined attacker.
Source: SecurityWeek