### Rapid Exploitation of Marimo Vulnerability **Sysdig** reported that **CVE-2026-39987** (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability, was exploited within 9 hours and 41 minutes of its public disclosure. This vulnerability affects all versions of **Marimo** prior to and including 0.20.4. The issue has been addressed in version 0.23.0. ### Technical Details of CVE-2026-39987 The root cause lies in the `/terminal/ws` WebSocket endpoint, which lacks proper authentication validation. According to **Marimo** maintainers, this endpoint bypasses the `validate_auth()` function, allowing unauthenticated attackers to gain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., `/ws`), the `/terminal/ws` endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. ### Attackers in Action Exploitation attempts involved connecting to the `/terminal/ws` WebSocket endpoint on a honeypot system. The attacker then initiated manual reconnaissance to explore the file system. Within minutes, they systematically attempted to harvest data from the `.env` file, search for SSH keys, and read various files. The attacker returned an hour later to access the contents of the `.env` file and check for other threat actors. No other payloads, such as cryptocurrency miners or backdoors, were installed. ### Implications and Recommendations The speed of exploitation, even without readily available proof-of-concept (PoC) code, underscores the importance of prompt patching. Attackers are actively monitoring vulnerability disclosures and rapidly weaponizing them. **Sysdig** emphasizes that any internet-facing application with a critical advisory is a potential target, regardless of its popularity. IT security professionals and privacy-conscious users are urged to prioritize patching and regularly monitor security advisories related to their software stack.