Executive Summary

The recent deployment of OpenAI Codex Security has marked a significant milestone in automated vulnerability discovery, with the platform autonomously scanning over 1.2 million code commits and identifying 10,561 high-severity issues, including 792 critical vulnerabilities, across a spectrum of widely used open-source projects. This unprecedented scale of automated code review has exposed latent risks in foundational software components such as GnuPG, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium. The presence of public proof-of-concept exploits for several of these vulnerabilities, particularly GnuPG CVE-2026-24881, elevates the urgency for immediate remediation. This advisory provides a comprehensive technical breakdown, exploitation evidence, threat actor context, affected versions, and actionable mitigation guidance to empower security teams to respond effectively.

Technical Information

OpenAI Codex Security leverages advanced AI-driven static and dynamic analysis to autonomously construct threat models, identify vulnerabilities, validate exploitability in sandboxed environments, and propose code-level remediations. The platform, available to ChatGPT Pro, Enterprise, Business, and Edu customers, represents an evolution of the earlier Aardvark engine, offering improved precision and a significant reduction in false positives.

During its 30-day beta, Codex Security scanned a diverse set of open-source repositories, uncovering a broad array of vulnerabilities. Notably, the tool identified stack-based buffer overflows, authentication bypasses, improper input validation, and cryptographic flaws. The most critical findings include:

GnuPG CVE-2026-24881 is a stack-based buffer overflow in the gpg-agent component, triggered during the handling of CMS (S/MIME) EnvelopedData messages with oversized wrapped session keys. This vulnerability is trivially exploitable for denial of service and, under certain conditions, can lead to remote code execution due to memory corruption. The flaw is rated at a CVSS v3.1 score of 9.8 (Critical), and public proof-of-concept code is available, significantly lowering the barrier for exploitation.

GnuTLS CVE-2025-32988 and CVE-2025-32989 affect widely deployed cryptographic libraries, with details pending public disclosure but classified as high-severity due to their potential impact on secure communications in Linux distributions.

GOGS CVE-2025-8110 and related vulnerabilities allow improper handling of symbolic links in the PutContents API, enabling attackers to write files outside intended directories and achieve remote code execution. These flaws are actively exploited in the wild, particularly against internet-exposed instances.

Thorium and libssh are affected by multiple CVEs, some of which impact authentication and encryption routines, potentially enabling privilege escalation or arbitrary code execution.

PHP and Chromium have been found to contain multiple high-severity vulnerabilities, with affected versions spanning both current and end-of-life releases, underscoring the importance of timely patch management.

The technical depth of Codex Security’s analysis is evidenced by its ability to not only detect vulnerabilities but also validate exploitability and propose context-aware fixes, streamlining the remediation process for development and security teams.

Exploitation in the Wild

There is mounting evidence of active exploitation for several of the vulnerabilities surfaced by Codex Security. For GnuPG CVE-2026-24881, both CISA and Red Hat have issued advisories confirming that remote attackers can exploit the flaw by sending specially crafted CMS EnvelopedData messages, resulting in denial of service or potential remote code execution. Public proof-of-concept exploits are readily available, and security researchers have observed scanning activity targeting vulnerable endpoints.

GOGS CVE-2025-8110 is being actively exploited in the wild, with attackers leveraging the vulnerability to gain unauthorized access and execute arbitrary code on exposed servers. Large-scale campaigns have been documented, particularly targeting instances with open registration or weak access controls.

WordPress plugin vulnerabilities such as CVE-2025-14502 and CVE-2026-23550 are under mass exploitation, with attackers automating the creation of rogue administrator accounts and exfiltrating sensitive data from compromised sites.

Fortinet FortiOS/Manager/Analyzer vulnerabilities, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, have been exploited in real-world attacks, enabling cross-tenant access and full device compromise via authentication bypasses.

Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340) have been exploited as zero-days, with attackers achieving unauthenticated remote code execution and compromising mobile device management infrastructure.

Indicators of compromise associated with these attacks include malicious CMS (S/MIME) messages, unexpected process launches, unauthorized configuration changes, and anomalous network traffic patterns.

APT Groups using this vulnerability

At the time of this advisory, there is no confirmed attribution of these vulnerabilities to specific Advanced Persistent Threat (APT) groups. However, the criticality of the flaws, the availability of public proof-of-concept exploits, and the foundational nature of the affected software components make them highly attractive to both opportunistic cybercriminals and sophisticated nation-state actors. Historical patterns suggest that APT groups specializing in initial access, lateral movement, and data exfiltration—such as those tracked by Mandiant, CrowdStrike, and Microsoft Threat Intelligence—are likely to incorporate these vulnerabilities into their toolkits as exploit code becomes more widely disseminated.

The MITRE ATT&CK techniques most relevant to these vulnerabilities include T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), and T1550 (Use Alternate Authentication Material).

Affected Product Versions

The vulnerabilities identified by Codex Security impact a wide range of product versions:

GnuPG versions 2.5.13 through 2.5.16 are affected by CVE-2026-24881 and CVE-2026-24882, with fixes available in 2.5.17.

GOGS is vulnerable up to and including version 0.13.3, with no patch available as of this report.

GnuTLS is affected in all versions prior to 3.8.10, with remediation in 3.8.10.

Thorium versions 1.0.0 up to (but not including) 1.1.2 are impacted by a series of CVEs, with fixes in 1.1.2.

libssh vulnerabilities affect all versions less than 0.11.2 and those built with OpenSSL versions below 3.0.

PHP vulnerabilities span versions 8.1. before 8.1.34, 8.2. before 8.2.30, 8.3. before 8.3.29, 8.4. before 8.4.16, 8.5.* before 8.5.10, and all end-of-life versions.

Chromium is affected in versions prior to the latest stable release as of March 2026, with specific CVEs detailed in the official release notes.

WordPress plugins such as CMB2 are vulnerable up to version 2.10.1 for CVE-2025-14502, with other plugin-specific vulnerabilities detailed in public advisories.

Fortinet FortiOS versions 7.0.0 through 7.0.13, 7.2.0 through 7.2.6, and 7.4.0 through 7.4.2, as well as corresponding FortiManager and FortiAnalyzer versions, are affected by multiple critical CVEs.

Ivanti EPMM is vulnerable across a broad range of versions from 10.0.0.0 through 11.10.0.3.

For detailed versioning and references, consult the official advisories and vendor documentation linked in the References section.

Workaround and Mitigation

Immediate action is required to mitigate the risk posed by these vulnerabilities. Organizations should prioritize the following measures:

Apply vendor-supplied patches for all affected products and libraries as soon as they become available, with particular urgency for those vulnerabilities with public proof-of-concept exploits or confirmed in-the-wild exploitation.

Monitor for indicators of compromise, including anomalous process activity, unauthorized configuration changes, and suspicious network traffic associated with exploitation attempts.

Restrict exposure of vulnerable services to the internet by implementing network segmentation, access controls, and firewall rules to limit attack surface.

Enforce least-privilege access principles and regularly audit user accounts, especially for platforms such as WordPress and GOGS that are frequently targeted for privilege escalation.

Educate users and administrators about the risks of phishing and social engineering, particularly for vulnerabilities that may require user interaction to trigger exploitation.

For products without available patches, consider disabling vulnerable functionality, isolating affected systems, or deploying virtual patching solutions where feasible.

Leverage threat intelligence feeds and vulnerability management platforms to stay informed of emerging exploit activity and remediation guidance.

References

The following resources provide authoritative technical details, advisories, and proof-of-concept code for the vulnerabilities discussed in this report:

The Hacker News: OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues, NVD: CVE-2026-24881, GnuPG Dev Advisory, Openwall Security Mailing List, Action1 Patch Tuesday, Red Hat CVE-2026-24881, CISA Vulnerability Bulletin, SentinelOne CVE-2026-24881, GnuTLS Security, Fortinet Advisory, Ivanti Security Advisory, Chromium Releases, PHP Supported Versions, Feedly CVE Database.

Rescana is here for you

At Rescana, we understand that the evolving threat landscape demands proactive, automated, and context-aware risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. While this report focuses on the latest findings from OpenAI Codex Security, our platform is designed to help you stay ahead of emerging threats, streamline compliance, and enhance your overall security posture. We are committed to supporting your security team with actionable intelligence and expert guidance. For any questions or to discuss how Rescana can assist your organization, please contact us at ops@rescana.com.