Search on TFTC
Federal Officials Warn of Active Exploitation of GitLab Account Hijack Vulnerability

Federal Officials Warn of Active Exploitation of GitLab Account Hijack Vulnerability

May 2, 2024

Federal Officials Warn of Active Exploitation of GitLab Account Hijack Vulnerability

A critical vulnerability in GitLab, which has not been patched by thousands of users since its disclosure in January, is now being actively exploited, according to warnings from federal government officials.

In May 2023, GitLab introduced a feature allowing users to initiate password changes via links sent to secondary email addresses. However, this feature contained a flaw that permitted attackers to issue password reset emails to their own accounts, enabling them to hijack GitLab accounts by simply clicking the embedded link. The vulnerability, identified as CVE-2023-7028, has a maximum severity rating of 10 out of 10.

The US Cybersecurity and Infrastructure Security Agency (CISA) announced on Wednesday that it has added this vulnerability to its catalog of actively exploited vulnerabilities. CISA has not provided specific details regarding the attacks, and a representative from GitLab has also declined to comment on the precise nature of the exploitation.

This vulnerability could lead to significant security risks, as GitLab is integral to many users' development environments. Attackers gaining unauthorized access could potentially sabotage projects or implant backdoors, leading to widespread consequences similar to the infamous SolarWinds supply chain attack in 2021.

Security organization Shadowserver's internet scans revealed over 2,100 IP addresses running vulnerable GitLab instances, with the highest concentrations found in India, the United States, Indonesia, Algeria, and Thailand. The number of susceptible instances has decreased since the patch's release, with Shadowserver recording more than 5,300 addresses on January 22.

CISA has now mandated all federal civilian agencies to immediately patch the vulnerability, though the agency did not comment on the use of multi-factor authentication (MFA). Despite MFA not being entirely foolproof against this vulnerability, GitLab users are strongly advised to enable it, preferably following the FIDO industry standard.

It is critical for users to understand that simply patching the vulnerability does not secure systems that have already been compromised. GitLab has issued incident response guidance to assist users in addressing potential breaches.

CISA Announcement


Current Block Height

Current Mempool Size

Current Difficulty