Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
A now-patched critical remote code execution (RCE) vulnerability in GitLab's web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks.

Tracked as CVE-2021-22205, the issue relates to an improper validation of user-provided images that results in arbitrary code execution. The vulnerability, which affects all versions starting from 11.9, has since been addressed by GitLab on April 14, 2021 in versions 13.8.8, 13.9.6, and 13.10.3.

In one of the real-world attacks detailed by HN Security last month, two user accounts with admin privileges were registered on a publicly-accessible GitLab server belonging to an unnamed customer by exploiting the aforementioned flaw to upload a malicious payload that leads to remote execution of arbitrary commands, including obtaining elevated permissions.
Although the flaw was initially deemed to be a case of authenticated RCE and assigned a CVSS score of 9.9, the severity rating was revised to 10.0 on September 21, 2021 owing to the fact that it can be triggered by unauthenticated threat actors as well.

"Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders," cybersecurity firm Rapid7 said in an alert published Monday.

Despite the public availability of the patches for more than six months, of the 60,000 internet-facing GitLab installations, only 21% of the instances are said to be fully patched against the issue, with another 50% still vulnerable to RCE attacks.


Level 37
Top Poster
Feb 4, 2016
A critical unauthenticated, remote code execution GitLab flaw fixed on April 14, 2021, remains exploitable, with over 50% of deployments remaining unpatched.
The vulnerability is tracked as CVE-2021-22205 and has a CVSS v3 score of 10.0, allowing an unauthenticated, remote attacker to execute arbitrary commands as the 'git' user (repository admin).

This vulnerability gives the remote attacker full access to the repository, including deleting, modifying, and stealing source code.

Exploitation in the wild​

Hackers first started exploiting internet-facing GitLab servers in June 2021 to create new users and give them admin rights.
The actors used a working exploit published on GitHub on June 4, 2021, allowing them to abuse the vulnerable ExifTool component.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.