Cyber Events

Open source software supply chain security sounds the alarm again: researchers disclose dozens of zero-day vulnerabilities in batches.

A researcher going by the alias Bikini has published PoC code on GitHub for dozens of zero-day vulnerabilities in multiple open-source projects, including FFmpeg, Gogs, Gitea, Ghidra, 7-Zip, OpenVPN, and VLC, with nine of them having received CVE IDs. This has sparked renewed concerns among enterprises about the security of open-source software supply chains.

Event Overview

In September 2025, a security researcher (pseudonym Bikini) published a repository named "exploitarium" on GitHub, containing proof-of-concept (PoC) exploit code for zero-day vulnerabilities in dozens of open-source projects. The projects involved include:

  • FFmpeg (multimedia processing library)
  • Gogs and Gitea (lightweight Git services)
  • Ghidra (reverse engineering platform)
  • 7-Zip (compression tool)
  • OpenVPN (VPN solution)
  • VLC (media player)

According to the disclosure, 9 of the vulnerabilities have been assigned CVE identifiers, while the remaining vulnerabilities, though not yet assigned CVEs, still pose exploitation risks. Bikini claimed that these defects were discovered through LLM (Large Language Model)-assisted fuzzing, a methodology that has also sparked industry discussion about the double-edged sword effect of AI security tools.

Technical and Risk Analysis

Attack Method: Batch Exposure of Zero-Day Vulnerabilities

Traditionally, security researchers follow a responsible disclosure process after discovering vulnerabilities, giving vendors time to patch. However, Bikini chose to release PoCs directly to the public, meaning attackers can immediately use this information to develop weaponized tools.

Exploitation Chain: From Open-Source Components to Enterprise Backbone

  • Affected Assets: These open-source components are widely used in enterprise infrastructure and business systems. For example, FFmpeg is often embedded in video processing platforms; Gogs/Gitea are used for internal code management; 7-Zip for file compression; OpenVPN for remote access; VLC for media playback; and Ghidra is used by security teams and analysts.
  • Attack Path: Attackers can study the PoCs for specific projects and craft malicious inputs (such as specially crafted media files, compressed archives, or VPN configurations) to trigger vulnerabilities, enabling remote code execution, information disclosure, or denial of service.
  • Lateral Movement and Supply Chain Contamination: Once internal servers or development environments are successfully penetrated, attackers can further steal credentials, implant backdoors, or even submit malicious modifications to code repositories, affecting downstream customers.

Risk Level: High

Due to the widespread use of open-source components, the disclosed vulnerabilities cover multiple stages from development and operations to end users. In particular, internal tools like Gogs/Gitea, once compromised, could lead to the collapse of the entire development workflow.

Enterprise Impact Analysis| Risk Type | Impact Description | |----------|-------------------| | Operational Risk | Enterprise systems using affected versions may experience unexpected interruptions or data tampering. For example, media processing services may crash when triggered by malicious FFmpeg input. | | Financial Risk | Emergency patching requires manpower and resources; in the event of data leakage or ransomware incidents, direct economic losses and legal compensation are substantial. | | Compliance Risk | If regulations like GDPR are involved, failure to patch known vulnerabilities in a timely manner leading to data breaches may result in fines. | | Brand Risk | Exploitation incidents may be publicly reported, damaging customer trust. | | Data Risk | Increased risk of accessing sensitive data (e.g., form submissions, database backups) through vulnerabilities. |- Update Incident Response Plans: Rapid response procedures for open-source zero-day vulnerabilities. - Engage with Security Communities: Monitor official project announcements and CVE databases to obtain patches promptly. - Third-Party Risk Management: If using commercial software that includes affected components, require vendors to confirm version security.

Evidence route · securitypost

securitypost frames this note through Security Post publishes defensive cybersecurity intelligence for enterprise security leaders, covering thre.... Threat Briefing / Enterprise Security / AI & Cybersecurity explains the local editorial angle: Source links should be opened before the summary is reused. dates, names and status changes still need checking.

Source URL

  1. https://www.securityweek.com/in-other-news-canadian-hacker-jailed-open-source-zero-days-two-sentenced-for-atm-jackpotting/Primary

Related articles

Back to channel