
Anonymous researcher drops “Exploitarium” : 109 files, 15 targets, zero vendor notice. I built 44 KQL detections to cover it.
A researcher going by ‘bikini’ has published a personal archive called Exploitarium - 15 vulnerability targets across 109 tracked files, dropped with no coordinated disclosure and no vendor notification.
This isn’t a polished toolkit. It reads like a personal research dump. Some of it is noise that the community has already dismissed. But not all of it.
Two findings stand out and have been independently verified:
libssh2 pre-auth heap write - CVSS 9.2. Pre-authentication. Actively exploited.
Gitea default Docker auth bypass - Also independently confirmed, also being exploited in the wild.
If you’re running either of these in your environment, treat this as live.
What I built in response:
44 KQL detection rules covering the full Exploitarium scope: 18 product folders, 6 CVEs, cross-platform (Windows, Linux, macOS, Container, Network, SaaS).
Rules for:
libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares and more.
All rules are live on detections.ai with language translation available for non-KQL stacks. The full repo is structured by product on GitHub.
Full intel report + IOCs in the links below.
GitHub repo: https://github.com/Ethan-Andrews/Exploitarium-Detections
Exploitarium breakdown: Threat Intel
Drop questions below, happy to walk through anything.