Anonymous Researcher Publishes Zero-Day Vulnerabilities for 15 Products
An anonymous researcher, "bikini," has released exploit codes for zero-day vulnerabilities in 15 software products without prior notice. Two vulnerabilities, in libssh2 and Gitea, have already been exploited in attacks.
According to a report by The Register, an anonymous security researcher known as “bikini” has publicly released exploit codes for zero-day vulnerabilities affecting 15 software products and open-source projects, without prior notification to vendors or maintainers. The code was posted on a now-removed GitHub repository called “exploitarium.” At least two of the vulnerabilities have already been confirmed as being exploited in attacks.
This incident has drawn significant attention as an example of a researcher acting outside the principles of responsible disclosure. While it is reminiscent of the actions of “Nightmare Eclipse,” who has been publicly revealing Microsoft vulnerabilities over the past few months, bikini differs in targeting a broader range of products rather than focusing on specific vendors.
Two Confirmed Exploited Vulnerabilities
The first confirmed vulnerability is CVE-2026-55200, a critical pre-authentication remote code execution (RCE) issue in libssh2, a client-side C library implementing the SSH2 protocol. Attackers can manipulate the packet_length value in a crafted SSH packet to corrupt heap memory and achieve remote code execution.
A fix for this vulnerability has already been merged into the mainline development branch of libssh2, and maintainers are preparing a release that includes the patch. However, at the time the exploit code was published, no official stable release containing the patch was available.
The second vulnerability, CVE-2026-20896, is a severe authentication bypass issue affecting self-hosted Docker deployments of Gitea. This vulnerability allows unauthenticated remote attackers to impersonate any user and take full control of the Git server. The issue has been addressed in Gitea version 1.26.3.
Affected Products
The exploit codes and accompanying documentation released by bikini cover the following products and projects: libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Gitea, and Floci. However, The Register has not verified whether the exploits function as described or whether the claims are valid.
In the repository, bikini states, “These exploits have not been reported anywhere. Feel free to report them yourself, get CVEs, and claim credit.” Paradoxically, bikini also writes, “Please do not abuse this. This is to draw people into this field,” revealing a contradiction in intent.
The Role of AI in Vulnerability Discovery
Ethan Andrews, an analyst at Federal Signal, suggests that bikini may have utilized advanced AI models like GPT-5.5 Codex to automate fuzzing and vulnerability discovery. Andrews created 44 KQL detection rules in response to the data dump.
This observation highlights the growing impact of AI on the field of cybersecurity. As the automation of vulnerability discovery using AI accelerates, it could result in the identification of vulnerabilities on a scale that overwhelms the capacity of security teams to respond—a scenario some experts are calling “vulnpocalypse.”
Implications for the Security Industry
This incident underscores the limitations of the responsible disclosure framework. Publishing exploits without prior notification to vendors leaves users without time to apply patches, creating a favorable environment for attackers.
On the other hand, some argue that bikini’s actions could broaden the scope of security research. By making vulnerability information public, proponents claim that more talent can be drawn into the field, countering the monopolization of closed vulnerability information by a few researchers or companies. However, the ethical implications of exposing unprotected users to potential harm remain a significant concern.
Vulnerabilities in widely-used libraries like libssh2 have far-reaching consequences, potentially affecting all software that relies on these libraries. The SSH2 protocol is extensively used for tasks such as system administration and file transfers; exploiting an RCE vulnerability could lead to complete server compromises.
The Gitea vulnerability is equally serious. As a self-hosted Git server, Gitea is central to source code management for many organizations. The authentication bypass could allow attackers to take full control of all repositories. Since attacks have already been confirmed, organizations running Gitea versions below 1.26.3 must update immediately.
Future Outlook and Countermeasures
Security teams need to consider temporary mitigation measures for the unpatched vulnerabilities disclosed in this incident. For libssh2, while an official patch is being prepared, organizations should restrict SSH connections and implement network-level defenses.
Given the increasing use of AI in vulnerability discovery, large-scale public disclosures like “exploitarium” could become more common. The security industry must establish legal and ethical frameworks to manage the reporting of AI-discovered vulnerabilities and address the challenges posed by unnotified disclosures.
Organizations should also strengthen their supply chain security management and ensure that the open-source software libraries they use are always up to date. In this case, the inclusion of network-related libraries like libssh2, Gitea, and c-ares underscores the wide potential impact of such vulnerabilities.
Editorial Opinion
In the short term, there is a high likelihood of increased attacks targeting the unpatched vulnerabilities disclosed in this incident. Security teams must immediately assess their environments based on the disclosed information and implement the necessary mitigation measures. The urgency is particularly high for the vulnerabilities in libssh2 and Gitea, which have already been exploited. On an industry-wide scale, this incident may serve as a catalyst for standardizing incident response processes when vulnerabilities are published without prior notice.
In the long term, the automation of vulnerability discovery through AI could transform the structure of the cybersecurity industry. As this case demonstrates, AI can uncover vulnerabilities at speeds far surpassing human researchers. This may lead to an era of “vulnerability oversupply,” where the volume of discovered issues exceeds the capacity of security teams to address them. In such an environment, prioritization and advanced automated patching mechanisms will be vital.
From the editorial perspective, it remains a contentious issue whether bikini’s actions represent a “democratization of security research” or just irresponsible disclosure.
References
- Anonymous researcher drops 0-day ‘exploitarium’ repo - The Register — Published on 2026-06-29
Frequently Asked Questions
- Which disclosed vulnerabilities are considered the most dangerous?
- The two vulnerabilities already confirmed to have been exploited—CVE-2026-55200 (pre-authentication RCE in libssh2) and CVE-2026-20896 (authentication bypass in Gitea)—are particularly dangerous. libssh2 is a widely-used library, and Gitea is a critical self-hosted Git server for many organizations. Urgent action is required for both.
- What immediate steps can organizations take to protect their systems?
- If using Gitea, update to version 1.26.3 or later. For libssh2, while awaiting an official patch, limit SSH connections to the bare minimum and consider enhancing network-level defenses. More broadly, ensure all open-source library versions in use are the latest available.
- Why did the researcher release the exploits without prior notification?
- bikini claimed it was intended to encourage others to enter the field of cybersecurity. However, the researcher also noted that others were free to report the vulnerabilities and claim CVEs themselves. Some experts suggest this may have been a demonstration of how AI models can automate vulnerability discovery.
Comments