Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-39987, a Remote Code Execution (RCE) vulnerability in Marimo, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-04-23reports

Authors: CISA

CVE-2026-39987RCECISAMarimoKEV

Source:CISA

Key Takeaways

  • CISA added CVE-2026-39987 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects Marimo and allows for Remote Code Execution (RCE).
  • There is confirmed evidence of active exploitation in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability under BOD 22-01.
  • All organizations are strongly urged to prioritize timely remediation of this vulnerability.

Affected Systems

  • Marimo

Vulnerabilities (CVEs)

  • CVE-2026-39987

Attack Chain

Threat actors are actively exploiting CVE-2026-39987, a Remote Code Execution vulnerability in Marimo. Successful exploitation likely allows attackers to execute arbitrary code on the affected system. Specific details regarding the attack chain, payloads, or post-exploitation activities are not provided in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or logic are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Medium — EDR may detect post-exploitation activity resulting from the RCE, such as unexpected child processes spawned by the Marimo application. Network Visibility: Medium — Network sensors might detect anomalous inbound requests targeting the Marimo vulnerability or outbound C2 traffic post-exploitation. Detection Difficulty: Moderate — Without specific IOCs or exploit payloads provided in the alert, detection relies on identifying anomalous behavior or process execution originating from the Marimo application.

Required Log Sources

  • Application Logs
  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • Network Traffic Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected child processes (e.g., cmd.exe, powershell.exe, bash) spawned by the Marimo application process, indicating potential RCE exploitation.Process Creation LogsExecutionMedium, depending on normal Marimo usage patterns if users legitimately run shell commands from within the application.

Control Gaps

  • Lack of specific exploit signatures
  • Unpatched Marimo instances

Key Behavioral Indicators

  • Anomalous process ancestry involving Marimo
  • Unexpected network connections originating from the Marimo process

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch all instances of Marimo to the latest secure version addressing CVE-2026-39987.
  • Isolate unpatched Marimo instances from the internet or critical networks until remediation is complete.

Infrastructure Hardening

  • Implement network segmentation to restrict access to Marimo instances.
  • Deploy Web Application Firewalls (WAF) to monitor and filter traffic to public-facing applications.

User Protection

  • Ensure endpoint detection and response (EDR) agents are active and properly configured on servers hosting Marimo.

Security Awareness

  • Educate vulnerability management teams on the urgency of remediating CISA KEV catalog additions.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution

Related