{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gitbucket-4.23.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25332"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitBucket 4.23.1"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","gitbucket","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["VulnCheck"],"content_html":"\u003cp\u003eGitBucket version 4.23.1 is vulnerable to an unauthenticated remote code execution flaw. This vulnerability, identified as CVE-2018-25332, allows remote attackers to execute arbitrary commands on the server. The attack involves exploiting weak secret token generation, which leads to a brute-forceable Blowfish encryption key. Attackers leverage this to upload a malicious JAR plugin through the git-lfs endpoint, subsequently triggering execution of system commands through a specially crafted endpoint. This vulnerability poses a significant risk as it allows for complete system compromise without requiring any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a GitBucket 4.23.1 instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker exploits the weak secret token generation to brute-force the Blowfish encryption key.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious JAR plugin containing code for remote command execution.\u003c/li\u003e\n\u003cli\u003eAttacker uses the git-lfs endpoint to upload the malicious JAR plugin to the GitBucket instance.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the installation or activation of the uploaded JAR plugin.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a request to the exposed exploit endpoint to execute arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe GitBucket server executes the attacker-supplied system commands.\u003c/li\u003e\n\u003cli\u003eAttacker achieves remote code execution, potentially leading to full system compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25332 allows an unauthenticated attacker to execute arbitrary commands on the affected GitBucket server. This can lead to full system compromise, data breaches, and potential disruption of services. The vulnerability has a CVSS v3.1 score of 9.8, indicating a critical severity. The impact includes complete compromise of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GitBucket to a version higher than 4.23.1 to patch CVE-2018-25332.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2018-25332 GitBucket Malicious JAR Upload\u0026rdquo; to detect attempts to upload malicious JAR plugins.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the git-lfs endpoint associated with suspicious JAR file uploads, as covered by the Sigma rule \u0026ldquo;Detect CVE-2018-25332 GitBucket Exploit Endpoint Access\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization mechanisms to prevent unauthenticated access and file uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T13:17:30Z","date_published":"2026-05-17T13:17:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gitbucket-rce/","summary":"GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability (CVE-2018-25332) allowing attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality via a malicious JAR plugin.","title":"GitBucket 4.23.1 Unauthenticated Remote Code Execution Vulnerability (CVE-2018-25332)","url":"https://feed.craftedsignal.io/briefs/2026-05-gitbucket-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — GitBucket 4.23.1","version":"https://jsonfeed.org/version/1.1"}