Lead Story | Critical — Public Exploit, No Patch | Dev · Cloud+DevOps |
|
Gogs ships a working exploit and no patch — one new account owns the whole Git server
Rapid7 released a Metasploit module for an unpatched Gogs flaw; on default installs, any self-registered user runs code and reads every repo, token, and SSH key.
Rapid7 disclosed a critical flaw in Gogs, the self-hosted Git service teams run to keep source code in-house, and no patch exists more than two months after the March 17 report. Gogs ships with open registration enabled by default, so anyone who can reach the server registers an account, then abuses a malicious pull-request branch name to inject the --exec flag into a rebase merge and run commands as the server process. From there an attacker reads every repository on the instance — including other tenants’ private code — and lifts every user’s SSH keys, API tokens, password hashes, and 2FA secrets. Rapid7 Disclosure → Bleeping Computer →
Rapid7 rates it CVSSv4 9.4 and published a Metasploit module that completes the chain in seconds against Linux and Windows hosts. No in-the-wild exploitation is confirmed, but a working public exploit against an unpatched, internet-exposed service carries its own urgency: Shadowserver counts more than 2,400 Gogs servers reachable online. SecurityWeek →
→ Key Takeaway A public Metasploit module now exists for a Gogs flaw the maintainer has left unpatched for more than two months, and open registration means most internet-facing instances can be exploited by anyone who can reach them. A compromise exposes every repository, credential, and SSH key on the server, with no malware needed to trip endpoint detection. Action: Ask your engineering and platform teams whether any self-hosted Gogs instances are running — especially internet-facing ones — and have them restrict registration, disable rebase merging, or take the service off the public internet until a fix ships. |
Quick Hits
| 01 |
Fortinet Patches Unauthenticated Code-Execution Flaws in FortiAuthenticator and FortiSandbox
Fortinet patched two critical vulnerabilities in May — CVE-2026-44277 (CVSS 9.8) in FortiAuthenticator and CVE-2026-26083 (CVSS 9.1) in FortiSandbox — each lets an unauthenticated attacker execute unauthorized code or commands via crafted requests. FortiAuthenticator sits at the centre of many enterprises’ identity and MFA infrastructure and FortiSandbox inspects suspected malware, so compromise of either undermines a core security control rather than a peripheral system. No active exploitation has been reported, but Fortinet appliances are a recurring target and published patches tend to draw exploit development quickly. Confirm with your network and identity teams that FortiAuthenticator is on 6.5.7, 6.6.9, or 8.0.3 and FortiSandbox on 4.4.9 or 5.0.2 or later. The Hacker News →
| High — Critical Patch Available | Enterprise · IT Ops |
|
CVE Watch
|
CVE Watch
CVE-2026-34260 (SAP S/4HANA): SQL Injection in Enterprise Search for ABAP Exposes Business Data — Patched in SAP May 2026 Security Patch Day
SAP patched CVE-2026-34260 on its May 2026 Security Patch Day — an SQL injection flaw in the Enterprise Search for ABAP component of S/4HANA, carrying a CVSS 3.1 base score of 9.6. A low-privileged authenticated user can send crafted input that injects SQL statements, and the scope-change rating indicates impact reaching beyond the vulnerable component to the business data held in the underlying database. SAP characterizes the impact as high to confidentiality and availability with no integrity loss, which fits a data-exposure and disruption profile rather than data tampering. No public exploitation has been reported as of May 29, 2026; apply SAP Note 3724838 and ask your SAP Basis team to confirm S/4HANA systems are patched and that Enterprise Search exposure is limited to trusted users. NVD → The Hacker News →
| Vendor: SAP · CVE: CVE-2026-34260 · CVSS: 9.6 (SAP CVSS 3.1 advisory; NVD enrichment pending as of May 29, 2026) · Attack Vector: Network (authenticated, low privilege) · Affected: SAP S/4HANA — Enterprise Search for ABAP · Fix: SAP May 2026 Security Patch Day (Note 3724838) · Status: No confirmed exploitation as of May 29, 2026; high blast radius across enterprise and public-sector SAP deployments |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — ID.AM-02 — Identify: Asset Management
You Cannot Patch the Git Server You Forgot You Run
NIST CSF 2.0 ID.AM-02 requires that “Inventories of software, services, and systems managed by the organization are maintained” — and the unpatched Gogs flaw is dangerous precisely for the instances no one is tracking: a self-hosted Git server spun up by a single team, internet-facing, and absent from the asset register. An accurate software and service inventory is what turns “is anyone running Gogs?” from an open question into a query your team can answer in minutes. Action: Ask your security team to produce a current inventory of internet-facing self-hosted services — Git, CI, wikis — and confirm each one has a named owner and a patch path. NIST CSF 2.0 reference: csf.tools/id-am-02 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (23 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
