What happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that threat actors are exploiting a five-year-old vulnerability in GitLab installations as part of active attacks. According to the advisory, the flaw, tracked as CVE-2018-XXXX, exists in how GitLab’s web interface handles certain crafted HTTP requests, which can be abused to bypass authentication controls and gain unauthorized access to the system. CISA noted that despite the vulnerability being disclosed years earlier and patches being available, many internet-accessible GitLab instances remain unpatched, allowing attackers to scan for and exploit the weakness. The agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and urged organizations to apply existing patches or mitigate exposure. Publicly available proof-of-concept exploit code has been circulating, and incidents of successful compromise have been observed by cybersecurity teams monitoring internet attack traffic.
Who is affected
Operators of on-premises GitLab servers that have not applied patches for the disclosed vulnerability are affected, as their systems remain open to unauthenticated access and exploitation of the flaw.
Why CISOs should care
The active exploitation of a longstanding GitLab vulnerability underscores the importance of timely patching for internet-reachable infrastructure, especially when proof-of-concept exploit code is publicly available and threat actors are actively scanning and abusing exposed systems.
3 practical actions
- Patch vulnerable GitLab instances. Apply the available security updates that fix CVE-2018-XXXX.
- Scan for internet-exposed GitLab services. Identify unpatched installations reachable from public networks.
- Monitor for exploitation attempts. Review logs and IDS/IPS telemetry for signs of unauthenticated access attempts tied to the flaw.