Live Latest activity →
Critical Vulnerability

Marimo RCE exploited, LLM agent used for post-exploit

By

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible

What Happened

An unknown threat actor has been observed exploiting a publicly-accessible Marimo instance via CVE-2026-39987, an unauthenticated remote code execution vulnerability. In a novel twist, the attacker then deployed a large language model (LLM) agent to autonomously conduct post-exploitation activities - including reconnaissance, lateral movement, and data exfiltration - with minimal human intervention. This marks one of the first documented cases of LLM agents being used as an active post-compromise tool in a real-world intrusion, rather than merely for generating phishing content or malware code.

Why It Matters

This incident represents a significant shift in offensive cyber operations. For years, AI-assisted attacks have been hypothetical or limited to auxiliary tasks like writing spear-phishing emails. Here, the LLM agent functioned as an automated operator, reducing the attacker’s hands-on-keyboard time and enabling faster, more consistent malicious actions. Organizations that have patched Marimo but lack detection for anomalous LLM API calls or process behavior may miss the secondary stage entirely. The exploitation itself is not new - the Marimo RCE has known PoC - but the follow-on agent deployment signals that threat actors are now integrating AI into their kill chains at a deeper level, making response timelines more critical.

Technical Details

CVE-2026-39987 allows an unauthenticated attacker to execute arbitrary Python code on a Marimo notebook server exposed to the internet. After initial access, the threat actor loaded an LLM agent framework (based on observed network traffic and binary artifacts) onto the compromised host. The agent was configured with system prompts instructing it to:

  • Enumerate local users, network shares, and running services.
  • Attempt lateral movement using stolen credentials or known exploits.
  • Stage and exfiltrate data to an external cloud storage endpoint.
  • Maintain persistence by modifying crontab or registry keys.

Indicators of compromise include unexpected outbound connections to known LLM API endpoints (e.g., OpenAI or self-hosted model APIs), anomalous Python processes spawning shell commands, and the presence of agent configuration files in /tmp or %TEMP% directories. The actor used encrypted communications for agent commands, complicating detection.

Immediate Risk

The immediate risk is critical for any organization running a Marimo notebook server on a public or semi-public network. If unpatched, the CVE allows trivial RCE. But the compounding risk is the LLM agent: once deployed, it can act autonomously and rapidly scale compromise across the environment. Organizations should prioritize:

  1. Patching Marimo immediately to block initial access.
  2. Auditing for any instances of CVE-2026-39987 exploitation in logs.
  3. Monitoring for unusual outbound HTTPS traffic to LLM provider APIs or unknown endpoints.
  4. Inspecting systems for unexpected Python or script processes that may indicate an LLM agent.

CISA has not yet added this CVE to the KEV catalog, but given active exploitation with advanced post-compromise tooling, an emergency directive may be forthcoming.

Security Insight

The most urgent takeaway is not about Marimo specifically, but about the evolution of adversary tooling: LLM agents turn every initial foothold into a potential auto-pilot for lateral movement. Traditional detection rules that focus on known malware signatures or specific command sequences will fail against an agent that can be instructed via natural language prompts. Defenders must shift to behavior-based detection - looking for patterns like repeated API calls to LLM endpoints followed by file access or network scans - rather than trying to block every potential agent binary. Historical analogs are botnets, but LLM agents are far more adaptive. Organizations should treat any LLM agent payload detected on a system as a complete compromise, regardless of whether the attacker is actively controlling it at that moment.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Critical May 30
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as C
Critical May 28
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. [...]
Medium May 26
CISA Announces Revised Town Hall Schedule to Engage with Stakeholders on Cyber Incident Reporting for Critical Infrastructure

Critical May 22
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog,

Related Across Yazoul

Advisory critical 2026-04-09
Marimo unauth RCE exploited in wild (CVE-2026-39987) [PoC]

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.