Exploitarium-Detections CVE-2026-20253 CVE-2026-20896 CVE-2026-45115 CVE-2026-46331 CVE-2026-55199 CVE-2026-55200

## https://sploitus.com/exploit?id=0A6C4271-3B76-548A-927D-86B59EB92AA7
# Exploitarium-Detections# Exploitarium KQL Detection Coverage

KQL detection rules for Microsoft Sentinel and Defender XDR covering the **bikini/exploitarium**
anonymous disclosure — a personal research archive of 15 distinct vulnerability targets across
109 tracked files, released without vendor notification on June 28, 2026.

**45 rules** | **KQL** | **Author:** Ethan Andrews ([@eandrews](https://detections.ai/user/eandrews))

Intel report: https://systemtwosecurity.com/share/inspiration/VNJMKFVM

---

## Background

An anonymous researcher known as 'bikini' released exploitarium, a GitHub repo containing
proof-of-concept research across 15 distinct vulnerability targets (109 tracked files across
15 folders). The repo is young — 9 commits, 9 stars, 1 fork — and represents one researcher's
personal archive rather than a large coordinated offensive toolkit.

**Scope clarification:** The repo contains 15 distinct vulnerability research targets. File counts per folder
reflect individual files (scripts, payloads, helpers, READMEs) — not distinct CVEs. The
researcher's README notes these were unreported at time of posting.

The most technically significant findings — libssh2 pre-auth heap write and Gitea default
Docker auth bypass — have been independently verified as high-risk with active exploitation
observed. Some entries have been dismissed by the community as low-impact AI-fuzzing noise.

---

## Exploitarium Folder Breakdown

| Folder | Tracked Files |
|--------|--------------|
| objdump-dlx-calc-poc | 41 |
| ghidra-12.1.2-rce-ace-calc-poc | 9 |
| openvpn-connect-echo-script-ace-poc | 8 |
| lunar-modrinth-chain-poc | 6 |
| docker-cp-copyout-destination-escape | 5 |
| imagemagick-gs-delegate-hijack-poc | 5 |
| mybb-limited-acp-to-admin | 5 |
| nmap-ipv6-extlen-wrap-poc | 4 |
| anydesk-printer-com-impersonation-poc | 4 |
| gitea-act-runner-container-options-poc | 4 |
| 7zip-rar5-motw-chain-poc | 3 |
| flowise-mcp-env-case-bypass-poc | 3 |
| floci-apigateway-vtl-rce-poc | 3 |
| libssh2-cve-2026-55200-poc | 3 |
| vlc-vp9-reschange-crash-poc | 3 |
| **Total** | **109** |

---

## Repository Structure

```
exploitarium-detections/
├── detections/
│   ├── 7zip/                 # MOTW bypass x3 (rules 02, 27, 28)
│   ├── anydesk/              # COM hijack DLL, named pipe, PE fingerprint recon (rules 06, 36, 17)
│   ├── c-ares/               # TCP UAF NDR sequence, linkage recon, DNS failure spike (rules 07, 08, 41)
│   ├── docker/               # Privileged container host mount shell spawn (rule 38)
│   ├── exploitarium-generic/ # calc.exe PoC generic, multi-CVE sweep (rules 22, 44)
│   ├── firefox/              # SmartWindow silent enablement (rule 09)
│   ├── flowise/              # Unauthorized API access (rule 37)
│   ├── ghidra/               # Headless analyzer suspicious script execution (rule 40)
│   ├── imagemagick/          # Policy bypass delegate execution (rule 39)
│   ├── libssh2/              # Pre-auth RCE, DoS x2, scaffold x2, heap corruption, recon (rules 01, 12, 13, 24, 25, 26, 35)
│   ├── lunar-client/         # Electron IPC preload, Modrinth gameDirectory abuse (rules 15, 16)
│   ├── mybb/                 # ACP privilege escalation x2 (rules 05, 21)
│   ├── nmap/                 # IPv6 ExtLen wrap PoC (rule 18)
│   ├── openvpn/              # PAC injection, echo script ACE, DHCP option injection (rules 14, 42, CVE-2026-45115)
│   ├── php/                  # SOAP RCE, ASLR bypass (rules 10, 11)
│   ├── rustdesk/             # Session bypass x4 (rules 03, 19, 23, 33, 34)
│   ├── splunk/               # splunkd child process, reverse shell, REST API, PoC artifact (rules 20, 31, 32, 43)
│   └── vlc/                  # VP9 crash/child spawn, WER report, VP9 decode child (rules 04, 29, 30)
└── docs/
    └── COVERAGE.md           # Full rule index with MITRE and CVE mapping
```

---

## Coverage by Product

| Product | Rules | CVEs |
|---------|-------|------|
| libssh2 | 7 | CVE-2026-55200, CVE-2026-55199 |
| Splunk | 4 | CVE-2026-20253 |
| RustDesk | 4 | CVE-2026-46331 |
| 7-Zip | 3 | CVE-2026-45115 |
| VLC | 3 | CVE-2026-20896 |
| AnyDesk | 3 | — |
| OpenVPN Connect | 3 | CVE-2026-45115 |
| c-ares | 3 | — |
| MyBB | 2 | — |
| PHP | 2 | — |
| Lunar Client | 2 | — |
| Exploitarium Generic | 2 | — |
| Docker | 1 | — |
| Firefox | 1 | — |
| Flowise | 1 | — |
| Ghidra | 1 | — |
| ImageMagick | 1 | — |
| Nmap | 1 | — |

---

## CVE Coverage

| CVE | CVSS | Affected | Rules |
|-----|------|----------|-------|
| CVE-2026-55200 | 9.2 | libssh2 ≤1.11.1 (transitive: curl, Git, PHP) | 5 |
| CVE-2026-55199 | — | libssh2 DoS via key exchange CPU spin | 2 |
| CVE-2026-20253 | — | Splunk splunkd RCE | 4 |
| CVE-2026-46331 | — | RustDesk session permission bypass | 4 |
| CVE-2026-45115 | — | 7-Zip MOTW bypass + OpenVPN ACE | 4 |
| CVE-2026-20896 | — | VLC VP9 heap corruption | 3 |

---

## Platform Coverage

| Platform | Rules |
|----------|-------|
| Windows | 35 |
| Linux | 22 |
| macOS | 4 |
| Container/Runtime | 3 |
| Network (NDR/CSL) | 1 |
| SaaS | 1 |

---

## Priority Rules — Action First

1. `libssh2/cve-2026-55200-pre-auth-rce-child-process.kql` — CVSS 9.2, active exploitation
2. `libssh2/libssh2-linkage-recon-ldd-readelf-strings.kql` — catch pre-exploitation recon
3. `libssh2/cve-2026-55200-libpwn-harness-binaries-endpoint.kql` — harness binaries on disk
4. `exploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql` — broadest sweep
5. `splunk/cve-2026-20253-splunkd-unexpected-child-process.kql` — high-value enterprise target
6. `rustdesk/rustdesk-session-permission-bypass-comprehensive.kql` — full multi-branch coverage

---

## Rule Index (PDF Canonical Order)

| # | File | CVE |
|---|------|-----|
| 01 | libssh2/cve-2026-55200-pre-auth-rce-child-process.kql | CVE-2026-55200 |
| 02 | 7zip/7zip-rar5-motw-bypass-extracted-exe-launch.kql | CVE-2026-45115 |
| 03 | rustdesk/rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 04 | vlc/vlc-vp9-resolution-change-crash-child-spawn.kql | CVE-2026-20896 |
| 05 | mybb/mybb-acp-privesc-limited-admin-template-plugin.kql | — |
| 06 | anydesk/anydesk-printer-com-hijack-dll-load.kql | — |
| 07 | c-ares/c-ares-tcp-uaf-dns-formerr-rst-ndr.kql | — |
| 08 | c-ares/c-ares-linkage-discovery-ldd-readelf-recon.kql | — |
| 09 | firefox/firefox-smartwindow-silent-enable-attacker-endpoint.kql | — |
| 10 | php/php-857-soap-rce-heap-spray.kql | — |
| 11 | php/php-aslr-defeat-proc-self-maps-mem.kql | — |
| 12 | libssh2/cve-2026-55200-malicious-ssh-scaffold-cipher-negotiation.kql | CVE-2026-55200 |
| 13 | libssh2/cve-2026-55200-libpwn-scaffold-execution.kql | CVE-2026-55200 |
| 14 | openvpn/openvpn-pac-autoconfigurl-injection.kql | — |
| 15 | lunar-client/lunar-client-electron-preload-ipc-privesc.kql | — |
| 16 | lunar-client/lunar-client-modrinth-ipc-gamedirectory-abuse.kql | — |
| 17 | anydesk/anydesk-976-pe-fingerprint-recon.kql | — |
| 18 | nmap/nmap-ipv6-extlen-wrap-poc-compilation-execution.kql | — |
| 19 | rustdesk/rustdesk-anomalous-relay-connection-ports.kql | CVE-2026-46331 |
| 20 | splunk/cve-2026-20253-splunkd-unexpected-child-process.kql | CVE-2026-20253 |
| 21 | mybb/mybb-limited-acp-accessing-superadmin-functions.kql | — |
| 22 | exploitarium-generic/exploitarium-poc-calc-spawned-by-anomalous-parent.kql | — |
| 23 | rustdesk/rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 24 | libssh2/libssh2-linkage-recon-ldd-readelf-strings.kql | CVE-2026-55200 |
| 25 | libssh2/cve-2026-55199-libssh2-dos-cpu-spin.kql | CVE-2026-55199 |
| 26 | libssh2/libssh2-publickey-heap-corruption-poc.kql | CVE-2026-55200 |
| 27 | 7zip/cve-2026-45115-7zip-motw-archive-extraction-temp-execution.kql | CVE-2026-45115 |
| 28 | 7zip/cve-2026-45115-7zip-rar5-motw-zone-identifier-absent.kql | CVE-2026-45115 |
| 29 | vlc/cve-2026-20896-vlc-vp9-crash-dump-wer-report.kql | CVE-2026-20896 |
| 30 | vlc/cve-2026-20896-vlc-suspicious-child-process-vp9-decode.kql | CVE-2026-20896 |
| 31 | splunk/cve-2026-20253-splunk-rce-reverse-shell-indicators.kql | CVE-2026-20253 |
| 32 | splunk/cve-2026-20253-splunk-malicious-search-command-rest-api.kql | CVE-2026-20253 |
| 33 | rustdesk/cve-2026-46331-rustdesk-unauthenticated-relay-forged-token.kql | CVE-2026-46331 |
| 34 | rustdesk/cve-2026-46331-rustdesk-relay-server-impersonation-nonstandard-port.kql | CVE-2026-46331 |
| 35 | libssh2/cve-2026-55199-libssh2-dos-malformed-kex-init-flood.kql | CVE-2026-55199 |
| 36 | anydesk/anydesk-com-printer-pipe-named-pipe-creation.kql | — |
| 37 | flowise/flowise-ai-server-unauthorized-api-access-prompt-injection.kql | — |
| 38 | docker/docker-container-escape-privileged-host-mount-shell.kql | — |
| 39 | imagemagick/imagemagick-policy-bypass-delegate-execution.kql | — |
| 40 | ghidra/ghidra-headless-analyzer-suspicious-script-execution.kql | — |
| 41 | c-ares/c-ares-tcp-uaf-dns-resolution-failure-spike.kql | — |
| 42 | openvpn/openvpn-dhcp-option-injection-autoconfigurl-registry.kql | — |
| 43 | splunk/cve-2026-20253-splunk-exploit-poc-script-artifact.kql | CVE-2026-20253 |
| 44 | exploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql | All 6 CVEs |

---

## Usage

Each `.kql` file contains the full rule body plus a metadata header (severity, platforms,
MITRE IDs, CVEs, detections.ai link). Import directly into Sentinel as a scheduled query
rule or Defender XDR as a custom detection.

Rules are also available in Splunk SPL, Elastic, Chronicle, and other stacks via the
[detections.ai language translation feature](https://detections.ai).

---

## Author

**Ethan Andrews**
Trusted Contributor — [detections.ai](https://detections.ai/user/eandrews)