What is the primary risk associated with Floci in local environments?

Floci is a local AWS emulator. The risk stems from typical development misconfigurations, such as mounting the host docker socket directly to the emulator. If the emulator is compromised via techniques like Server-Side Request Forgery, an attacker can escape the container and execute code on the host system.

Exploitarium Repo Claims: Fake Zero-Days, Real Threat | Femto Security Threat Intelligence

Key Takeaways

Threat actors on dark web forums are marketing public exploit research as unpatched zero-days to scam other criminals and intimidate organizations.
The underlying public exploits are highly functional and pose a direct risk of remote code execution if left unpatched.
Major targets mentioned in the repository include critical components of Gitea, libssh, and local testing environments like Floci.
A client-side integer overflow in libssh allows remote execution during pre-authentication handshakes with rogue servers.

Bikini/Exploitarium Targeted Components

Exploitarium

libssh/libssh2

Gitea Platform

c-ares Library

Floci AWS Emulator

Exploitarium

libssh/libssh2high
Gitea Platformhigh
c-ares Librarymedium
Floci AWS Emulatormedium

Exploitarium Indicators of Compromise

url
github.com/bikini/exploitarium
Public exploit repository containing PoC payloads
url
github.com/bikini/exploitarium
Public exploit repository containing PoC payloads
cve
CVE-2026-55200
Critical libssh2 pre-authentication heap overflow (CVSS 9.2)
cve
CVE-2026-55200
Critical libssh2 pre-authentication heap overflow (CVSS 9.2)
cve
CVE-2026-20896
Gitea global admin authentication bypass (CVSS 9.8)
cve
CVE-2026-20896
Gitea global admin authentication bypass (CVSS 9.8)
cve
CVE-2025-62408
c-ares Denial of Service vulnerability
cve
CVE-2025-62408
c-ares Denial of Service vulnerability

CVE-2026-55200 Pre-Auth Attack Flow

1Initial Connectionlow
Vulnerable client connects to malicious SSH server
low
2Pre-Auth Handshakelow
Standard key exchange initiated without credentials
low
3Payload Deliverymedium
Server sends excessive packet_length (0xffffffff)
medium
4Integer Wraparoundhigh
Client arithmetic wraps, allocating undersized heap buffer
high
5Memory Corruptioncritical
Client copies packet, writing beyond allocated bounds
critical
6Code Executioncritical
Corrupted callback pointers hijack execution flow
critical

Exploitarium MITRE ATT&CK Mapping

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1203

Exploitation for Client Execution

Defense Evasion

T1574.002

DLL Side-Loading

Privilege Escalation

T1610

Deploy Container

Exploitarium Mitigation & Patch Checklist

Progress0 / 5 (0%)

Patch libssh2 Dependency
Apply upstream security commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 or upgrade to 1.11.2+
Restrict Gitea Reverse Proxies
Disable wildcard REVERSE_PROXY_TRUSTED_PROXIES and upgrade to 1.26.4+
Secure Floci Deployments
Do not expose /var/run/docker.sock to local emulators
Upgrade c-ares Library
Update dependencies to version 1.34.6+ and monitor ahost.exe execution path
Block Exploit Repository
Implement corporate DNS/proxy blocks for github.com/bikini/exploitarium

How to Defend Against Similar Threats

Audit enterprise systems for vulnerable instances of the libssh library and apply current security patches immediately.
Configure Gitea trusted proxies to restrict access to explicitly defined IP addresses, preventing header authentication bypasses.
Isolate local developer testing environments running Floci, ensuring they do not have administrative access to host docker sockets.
Implement egress filtering to block automated tools and developer endpoints from reaching unapproved public code repositories.

Threat Intel FAQ

Is the Bikini/Exploitarium repository a source of genuine unpatched zero-day vulnerabilities?

No, technical analysis shows that the repository is a public collection of offensive security research and proof-of-concept exploits for already documented vulnerabilities. The zero-day claims on dark web forums are likely fraudulent marketing tactics, although the public exploits themselves remain highly dangerous and actionable.

How can an attacker exploit the pre-authentication vulnerability in libssh?

If a client application connects to a rogue or hijacked SSH server, the server can send a malformed transport-layer packet with a massive packet length. This triggers an integer wraparound on the client side, causing a heap overflow and allowing remote code execution under the context of the client application.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.

Exploitarium Repository: Fake Zero-Day Claims Expose Real

Key Takeaways

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?