The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
There’s a category of system that teams mentally file as “dev tooling,” the CI server, the artifact repository, the low-code automation platform, the AI app builder, the CMS, and then expose to the internet and run with real privileges and real data. The catalog’s DevTools and supply-chain entries are a reminder that the dev stack is production infrastructure, and attackers treat it accordingly. Grouped together, the recent ones make the point.
CI/CD and source: the supply-chain crown jewels
- Jenkins CVE-2017-1000353 is a Java-deserialization RCE in the Jenkins remoting layer, an unauthenticated path to code execution on the build server, complementing the CLI file-read CVE-2024-23897. GitLab CVE-2021-22175 and CVE-2021-39935 add to GitLab’s exploited history (alongside the ExifTool RCE). As argued for TeamCity and APT29, a compromised CI/source server is a supply-chain compromise: source code, secrets, signing material, and the build pipeline into production.
Application servers and frameworks
- Apache Tomcat CVE-2025-24813 is a partial-PUT deserialization RCE, the Tomcat-as-RCE pattern again. Apache OFBiz CVE-2024-45195 is an RCE in the open-source ERP framework. Laravel Livewire CVE-2025-54068 is an RCE in the popular Laravel front-end framework component. These are the framework-and-app-server bugs that turn a web request into code execution; the deserialization and render/template lessons apply.
Content management
- Craft CMS CVE-2025-32432, CVE-2025-35939, CVE-2024-56145, and CVE-2025-23209 are a cluster of RCE/access-control flaws in Craft CMS, the CMS-as-target pattern (32432 was chained with a Yii framework bug for unauthenticated RCE and exploited in the wild). Internet-facing CMS platforms are perennial targets; patch fast and restrict the admin surface.
The new front: AI and low-code/automation tools
- Langflow CVE-2025-3248 and CVE-2026-33017, n8n CVE-2025-68613, Marimo CVE-2026-39987, and Aqua Trivy CVE-2026-33634 represent the newest wave: AI app builders, low-code automation platforms, notebook environments, and even a security scanner, getting exploited. Langflow’s CVE-2025-3248 was an unauthenticated RCE that saw active exploitation. These tools are often spun up quickly, exposed for convenience, run with broad access to data and execution, and built by young projects without hardened security. They’re attack surface the moment they touch the internet, and the AI-tooling gold rush is creating a lot of it.
What to do
- Treat dev/CI/automation/AI tools as production. Inventory them, patch them on an emergency cadence, and don’t expose their interfaces to the internet without strong access controls.
- Lock down CI/CD as supply-chain infrastructure. Jenkins, GitLab, and friends warrant tier-zero treatment: off the internet, MFA, segmented, secrets vaulted, and a supply-chain-incident response plan if compromised.
- Patch CMS and framework stacks fast, and minimize the admin/management surface exposed publicly.
- Vet AI and low-code tools before exposing them. New, fast-moving projects often haven’t been security-hardened. Sandbox them, restrict their data and execution scope, and keep them off the open internet.
- Assume compromise on exposed, unpatched instances, especially CI/source servers (scope a supply-chain incident) and AI tools with broad access.
The reframe is to delete the mental category of “just dev tooling.” The build server, the AI app builder, the automation platform, and the CMS are all internet-facing systems with code execution and access to data and pipelines, and the catalog shows them being exploited like the production infrastructure they are. Inventory them, patch them, get them off the open internet, and treat your CI/CD as the supply chain it is. We track the DevTools and supply-chain entries closely, because a compromise here can become your customers’ problem, not just yours.
Sources
Share
Related field notes
-
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs. The management plane is the target.
-
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler. After disclosure with no patch, a public exploit dropped and mass exploitation followed within days. It set the template for the NetScaler-as-target story that CitrixBleed later continued.
One email, every weekday morning.
You're in. Check your inbox.