Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Criminals Pose as Interpol in Phishing Emails to Deliver Ransomware

July 2, 2026

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

July 2, 2026

Researcher Explains Release of Undisclosed Zero-Day Exploits

July 2, 2026
Facebook X (Twitter) Instagram
Thursday, July 2
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Researcher Explains Release of Undisclosed Zero-Day Exploits
News

Researcher Explains Release of Undisclosed Zero-Day Exploits

Team-CWDBy Team-CWDJuly 2, 2026No Comments7 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A pseudonymous security researcher has released over 30 proof-of-concept exploits for zero-day vulnerabilities in open-source projects without disclosing them to the maintainers first.

The dump, called ‘Exploitarium,’ was shared publicly on GitHub by an individual going by name ‘bikini’ and ‘ashdfrkl’ on Discord.

First published on June 27, the repository initially included around 15 exploits, before the researcher updated it over the next few days with new entries.

It affects several open-source projects, including the Linux kernel, Libssh2, FFmpeg, Gogs, Gitea, Ghidra, 7-Zip, MyBB, PHP, OpenVPN, the VLC player and more.

In the ‘Exploitarium’ repository on GitHub, the researcher claimed they automated the entire fuzzing process using AI, specifically OpenAI models and tools.

One of the most widely used methods to find vulnerabilities, fuzzing is an automated software testing technique that inputs random, invalid or unexpected data into a computer program to detect crashes, memory leaks and security flaws.

However, the main reason this exploit dump sparked debate within the cybersecurity community is the apparent lack of coordinated vulnerability disclosure (CVD).

CVD is the industry-standard practice of privately alerting developers to a security flaw first, giving them a window of time to patch the issue before details are made public.

On GitHub, the researcher explicitly invited others to file CVEs themselves and framed the work as an effort to bring people into the field.

Speaking to Infosecurity on Discord, the researcher confirmed they did not inform any of the maintainers of the publication. While they have been through a CVD process in the past, they decided against it this time.

“I think it’s the best way for people to learn and become allured into the field. It’s a lot less interesting and informative if someone has to read a write up that’s not applicable by today’s security standards,” the researcher known as bikini said.

“It also raises the barrier to entry making someone go back and install outdated software to test on.”

Some Exploits Linked to Disclosed CVEs

Some vulnerabilities have since been publicly disclosed and some of them have been patched by maintainers.

One of them, CVE-2026-55200, represents a severe pre-authentication remote code execution (RCE) vulnerability affecting libssh2, a widely used client-side C library implementing the SSH2 protocol, with a CVSS severity score of 9.2.

Exploitation involves transmitting specially crafted SSH packets containing oversized packet_length values to manipulate heap memory, ultimately enabling remote code execution.

While bikini dropped the exploit on GitHub, the vulnerability was publicly disclosed by VulnCheck through formal channels with credit to a different cybersecurity researcher Tristan Madani (also known as @TristanInSec) for reporting it to them.

It has now been addressed with a fix already integrated into the libssh2 mainline development branch, though maintainers are still finalizing a formal release that includes the patch.

Speaking to Infosecurity, Ethan Andrews, a cybersecurity analyst and detection engineer at Federal Signal Corporation, said CVE-2026-55200 has been “independently verified.”

He noted that it is the “most severe” vulnerability that has come out of the dump and is experiencing active exploitation.

Aside from CVE-2026-55200, bikini’s ‘Exploitarium’ GitHub repository mentioned that 12 issues have now received CVE identifiers:

  • CVE-2026-58049: Memory corruption (heap write/read) in FFmpeg’s RASC video decoder
  • CVE-2026-58050: Heap buffer overflow in libssh2 on 32-bit platforms due to integer overflow
  • CVE-2026-58051: Free of uninitialized pointer (use-after-free) in libssh2 during publickey list cleanup
  • CVE-2026-58052: 7-Zip fails to preserve Mark-of-the-Web (MotW) warnings when extracting crafted RAR5 archives
  • CVE-2026-58053: Host container escape in Gitea’s act_runner via unsanitized Docker container options
  • CVE-2026-58054: Privilege escalation in MyBB due to unrestricted usergroup assignments
  • CVE-2026-58055: HTTP request smuggling and queue poisoning in nghttp2’s nghttpx proxy
  • CVE-2026-58056: Remote input injection and unauthorized display access in RustDesk file transfers
  • CVE-2026-58057: Case-sensitivity bypass on Windows in Flowise leading to arbitrary code execution
  • CVE-2026-58058: Integer underflow in Nmap leading to out-of-bounds reads and crashes during IPv6 scans
  • CVE-2026-58592: Use-after-free in the Ladybird Web Browser WebAssembly loader leading to code execution
  • CVE-2026-58593: Authentication bypass and post forgery in NodeBB’s ActivityPub middleware

As new entries to the ‘Exploitarium’ repository land, Federal Signal’s Andrews told Infosecurity he has built 44 Kusto Query Language (KQL) detection rules and released them on the Detections.ai website and on GitHub.

KQL detection rules are queries in security and monitoring tools like Microsoft Sentinel, Azure Defender, or Azure Data Explorer. They are used for identifying, investigating and responding to security threats, compliance violations, and suspicious activities within an organization’s digital environment.

Andrews also highlighted that some issues raised by the pseudonymous researcher “have been community dismissed as low impact noise.”

Bypassing Coordination Vulnerability Disclosure

Asked about the dump-when-ready approach used by bikini, Andrews said, “It shows a meaningfully different intent than a coordinated offensive toolkit release, but a risky decision at the same time, especially with no vendor coordination.”

Speaking to Infosecurity, Patrick Garrity, a vulnerability researcher at VulnCheck, said his company “strongly encourages a coordinated approach.”

“We provide coordinated vulnerability disclosure as a free service and we issue CVEs when we observe vulnerabilities in the wild that don’t have one. We do this as a participant in the CVE program to contribute back to public goods and help ensure timely CVE issuance,” he explained.

In the GitHub repository, bikini added a warning against malicious use of their exploits: “Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research intended to get more people interested in exploring this area of cybersecurity. Cybercrime is cringe.”

Asked if they thought this would be enough to deter malicious actors, they responded, “Of course not. The disclaimer might help, but at the end of the day, they have the free will to make their own choices.”

However, bikini argued that releasing exploits publicly “just speeds up the patching process and will get these issues resolved quicker, limiting attackers who might already be aware of these things.”

“I just came to the understanding that open disclosure is better for everyone in 99% of circumstances,” they added.

VulnCheck’s Garrity said he believes “we are going to continue to see more of these type of drops.”

The pseudonymous researcher’s approach is reminiscent of Nightmare Eclipse, the zero-day bug hunter who has been publishing Microsoft exploits in May 2026.

Read now: Microsoft Condemns “Uncoordinated” Zero Day Disclosures

Researcher Claims Using Non-Frontier AI Models for Fuzzing

In the ‘Exploitarium” GitHub repository, bikini claimed they used an OpenAI model to fuzz the project’s code and find irregularities that they later confirmed with a manual review. Specifically, they initially attributed the work to GPT-5.5-3-Codex-Spark before later revising the description to GPT-5.3.

“You do NOT need a SOTA [state-of-the-art] model to help you identify these issues, I promise!” they wrote.

“While being able to afford a better model is helpful, my data seems to show that it is only marginal when paired with decent human oversight and a good harness. None of the actual PoCs [proof-of-concept exploits] themselves were vibe-coded; I did, in fact, hand-type them.”

Speaking to Infosecurity, bikini said they “didn’t face any issues with AI safeguards,” but that the real challenge is to “find bugs that interest people.”

They announced they’re planning to publish more information on their workflow in the future.

“I think it’s important to establish your own workflow first of what you’ve found to work best and implement a strict pathway for AI to automate this process for you,” they added.

Infosecurity has contacted maintainers of libssh2 and Ghidra but did not receive any response at the time of publication.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleChinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign
Next Article New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Team-CWD
  • Website

Related Posts

News

Criminals Pose as Interpol in Phishing Emails to Deliver Ransomware

July 2, 2026
News

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

July 2, 2026
News

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

July 2, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is Poshmark safe? How to buy and sell without getting scammed

February 19, 2026

What is it, and how do I get it off my device?

September 11, 2025

In memoriam: David Harley

November 12, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.