CVE-2018-25332: GitBucket RCE Exposes Unauthenticated Command Execution

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-306
CVE-2018-25332: GitBucket RCE Exposes Unauthenticated Command Execution

The National Vulnerability Database has detailed CVE-2018-25332, a critical unauthenticated remote code execution (RCE) vulnerability in GitBucket version 4.23.1. This flaw stems from a combination of weak secret token generation and insecure file upload mechanisms, allowing attackers to gain full system control.

Attackers can exploit this by brute-forcing the Blowfish encryption key, then uploading a malicious JAR plugin via the git-lfs endpoint. Once the malicious plugin is staged, an exposed exploit endpoint enables the execution of arbitrary system commands. The National Vulnerability Database assigns this a CVSS score of 9.8 (Critical), underscoring the severity of unauthenticated RCE.

This isn’t just a theoretical exploit; it’s a critical attack vector for any organization running vulnerable GitBucket instances. The unauthenticated nature means an attacker needs no prior access, drastically lowering the bar for exploitation. It’s a direct path to full system compromise, data exfiltration, or further lateral movement within an environment.

What This Means For You

  • If your organization uses GitBucket, immediately verify your version. If you are running GitBucket 4.23.1 or earlier, you are exposed to unauthenticated remote code execution. Patch or upgrade to a secure version without delay. This isn't a vulnerability to patch next week; it's a fix-it-now situation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Exploit via File Upload Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2018-25332: GitBucket Unauthenticated RCE via Git LFS Upload

Sigma YAML — free preview 
title: CVE-2018-25332: GitBucket Unauthenticated RCE via Git LFS Upload
id: scw-2026-05-17-ai-1
status: experimental
level: critical
description: |
  Detects the initial access vector for CVE-2018-25332 by looking for POST requests to the '/git-lfs/git-lfs' endpoint, which is used to upload malicious JAR plugins. This is a critical indicator of an attempted or successful exploitation of the GitBucket RCE vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25332/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/git-lfs/git-lfs'
      cs-method|contains:
          - 'POST'
      sc-status|exact:
          - 200
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25332 RCE GitBucket 4.23.1
CVE-2018-25332 RCE Weak secret token generation (Blowfish encryption key brute-force)
CVE-2018-25332 RCE Insecure file upload functionality via git-lfs endpoint
CVE-2018-25332 RCE Malicious JAR plugin upload
CVE-2018-25332 RCE Exploitable endpoint for system command execution

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 17, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma