Atredis Partners
Sam
3D Printing Flying Probe Test Harnesses: Can you?
3D printing test probe harnesses on decade old printers, and you can too!
watchTowr Labs
Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will. No heist story is ever complete without a 10-metre thick steel door vault, silent pressure sensors beneath marble floors and laser grids slicing the air like spiderwebs — befitting of a crew reckless enough to think they can beat it all. Enterprises continue
DARKNAVY
DARKNAVY
The Jailbroken Unitree Robot Dog
The history of humanity’s domestication of wolves has spanned forty thousand years – we used firelight and patience to soften the wildness in their eyes, transforming their fangs into the loyalty that guards our homes. When various robot dogs created by America’s Boston Dynamics and China’s Unitree Robotics leap and flip gracefully under the spotlight, this ancient symbiotic relationship seems to take on a new meaning in the cyber age: trust that once required thousands of years of genetic selection to build can now be achieved with just a line of code.
PortSwigger Research
Gareth Heyes
Document My Pentest: you hack, the AI writes it up!
Tired of repeating yourself? Automate your web security audit trail. In this post I'll introduce a new Burp AI extension that takes the boring bits out of your pen test. Web security testing can be a
RET2 Systems Blog
Jack Dates
Exploiting the Synology DiskStation with Null-byte Writes
In October, we attended Pwn2Own Ireland 2024 and successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issu...
Synacktiv
CVE-2025-23016 - Exploiting the FastCGI library
# CVE-2025-23016 - Exploiting the FastCGI library At the beginning of 2025, as part of our internal research, we discovered a vulnerability in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how...
Rhino Security Labs
Tyler Ramsbey
New Pacu Module: Secret Enumeration in Elastic Beanstalk
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
GitHub
sleightofalex
OnlyOffice: Docker Man-in-the-middle attack
### Summary The OnlyOffice Community Server Docker image downloads a `.deb` file from [archive.ubuntu.com](http://archive.ubuntu.com/) via HTTP. The download is thus vulnerable to Man-in-the-Middl...
spaceraccoon.dev
Cybersecurity (Anti)Patterns: Busywork Generators
Many cybersecurity programmes fall into a trap of creating more and more (busy)work, eventually consuming a majority of resources and attention. In my first post in a series on cybersecurity (anti)patterns, I discuss why we end up with busywork generators and how to avoid them.
DARKNAVY
DARKNAVY
A First Glimpse of the Starlink User Ternimal
I think the human race has no future if it doesn’t go to space. —— Stephen Hawking Starlink is a low Earth orbit (LEO) satellite internet service provided by SpaceX. Users connect to near-Earth orbit satellites through a user terminal, which then connects to the internet via ground gateways. As the new generation of satellites gradually incorporates laser links, some satellites can communicate with each other via laser. This both reduces reliance on ground stations and improves transmission efficiency, enhancing global coverage.
Project Zero
Google Project Zero
The Windows Registry Adventure #6: Kernel-mode objects
Posted by Mateusz Jurczyk, Google Project Zero Welcome back to the Windows Registry Adventure! In the previous installment  of the ser...
Check Point Research
antoniost@checkpoint.com
CVE-2025-24054, NTLM Exploit in the Wild
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […]
Kri Dontje
Eclipse and STMicroelectronics vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
DARKNAVY
DARKNAVY
Reconstructing the $1.5 Billion Bybit Hack by North Korean Actors
Both the Attackers and Victims Made Critical Mistakes On February 21, 2025, the cryptocurrency exchange Bybit experienced the most significant financial loss in Web3 history when nearly $1.5 billion was illicitly transferred from its multi-signature wallet by North Korean threat actors. The DARKNAVY team has been closely monitoring security developments within the Web3 ecosystem. Following the Bybit incident, we conducted a reconstruction of the attack, analyzing it from the perspectives of the attackers, the developers, and the transaction signers.
Check Point Research
samanthar@checkpoint.com
Renewed APT29 Phishing Campaign Against European Diplomats
Check Point Research uncovers APT29 targeting European diplomatic entities with phishing attacks spreading malware Grapeloader
Check Point Research
shlomoo@checkpoint.com
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: In our previous blog on process injections we explained the foundations of this topic and basic ideas behind detection and prevention. We also proposed a new technique dubbed Thread […]
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server denial of service vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server chunked PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Synacktiv
iOS 18.4 - dlsym considered harmful
# iOS 18.4 - dlsym considered harmful Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using **dlsym()**. This blogpost details our observations and the root cause of the...
The GitHub Blog
Shelby Cunningham
How to request a change to a CVE record
Learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion.
Synacktiv
Hack the channel: A Deep Dive into DVB Receiver Security
# Hack the channel: A Deep Dive into DVB Receiver Security Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article,...
Embrace The Red
GitHub Copilot Custom Instructions and Risks
Custom Rule Files in Code Editors Can Be Abused By Adversaries
watchTowr Labs
Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
What's that Skippy? Another Ivanti Connect Secure vulnerability? At this point, regular readers will know all about Ivanti (and a handful of other vendors of the same class of devices), from our regular analysis. Do you know the fun things about these posts? We can copy text from previous posts about SSLVPNs: This must be the first time real-world attackers have reverse patches, and reproduced a vulnerability, before some dastardly researchers released a detection artefact generator tool of t
The GitHub Blog
Kevin Stubbings
Localhost dangers: CORS and DNS rebinding
What is CORS and how can a CORS misconfiguration lead to security issues? Learn about common CORS issues and how you can find and fix them.
Talos - Vulnerability Reports
STMicroelectronics X-CUBE-AZRTOS-F7 HTTP server chunked PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
STMicroelectronics X-CUBE-AZRTOS-F7 HTTP server single PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
STMicroelectronics X-CUBE-AZRTOS-F7 FileX Internal RAM interface buffer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
watchTowr Labs
XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution - any serious vulnerability, or chain of vulnerabilities to serious impact, is no bueno - and so we have more to tell you about today. As you may remember from our previous blog post, Kentico’s Xperience CMS product is a CMS solution aimed at enterprises but widely used by o
jub0bs.com
Why concrete error types are superior to sentinel errors
TL;DR ¶ Exported concrete error types are superior to sentinel errors. They can be more performant, cannot be clobbered, and promote extensibility. Third-party function errutil.Find is a powerful alternative to standard-library function errors.As. Setting the scene ¶ Imagine that you’re writing a package named bluesky whose purpose is to check the availability of usernames on Bluesky, the up-and-coming social-media platform: package bluesky func IsAvailable(username string) (bool, error) { // actual implementation omitted return false, nil } Calls to IsAvailable may fail (i.
Hacking Lab
Sujin Han
Automated Attack Synthesis for Constant Product Market Makers (to appear)
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic Automated Attack Synthesis for Constant Product Market Makers (to appear) Sujin Han , Jinseo Kim , Sung-Ju Lee , Insu Yun June 2025 Cite Publication Proceedings of the ACM SIGSOFT International Symposium on Software...
Stories by Renwa on Medium
Renwa
Stored XSS in My Flow To RCE in Opera Browser #2
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
GitHub
rcorrea35
W3C - CSS Validator XXE
### Summary All versions of W3C CSS validator are vulnerable to XXE due to unsafe parsing of XML data when untrusted XML data is passed to the `DocumentParser()` constructor and is not properly s...
Zero Day Initiative
Reno Robert
MindshaRE: Using Binary Ninja API to Detect Potential Use-After-Free Vulnerabilities
Use-after-free is a memory corruption condition where a program references memory after it has been released back to the allocator. Statically detecting these bugs can be challenging. In the past, several approaches have addressed this problem, such as GUEB by Josselin Feist and Sean Heelan's work
Doyensec's Blog
CSPT Resources
# CSPT Resources 27 Mar 2025 - Posted by Maxence Schmitt As a follow up to Maxence Schmitt’s research on **Client-Side Path Traversal (CSPT)**, we wanted to encourage researchers, bug hunters, and security professionals to explore CSPT further, as it remains an underrated yet impactful attack...
Project Zero
Google Project Zero
Blasting Past Webp
An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On September 7, 2023 Apple issued  an out-...
Rhino Security Labs
Whit Taylor
CVE-2024-55963: Unauthenticated RCE in Default-Install of Appsmith
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
STAR Labs
Chen Le Qi (@cplearns2h4ck)
CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)
Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process.
The GitHub Blog
Nancy Gariché
A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple
A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.
Check Point Research
elism@checkpoint.com
VanHelsing, new RaaS in Town
Key Points VanHelsing RaaS In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction. Reputable affiliates can […]
spaceraccoon.dev
Pwning Millions of Smart Weighing Machines with API and Hardware Hacking
Why hack one device, when you can hack all of them? By reverse-engineering and finding vulnerabilities in user-machine association flows for smart weighing machines, I was able to take over millions of internet-connected health devices. Hardware and web security are two halves of modern smart device security, and learning to hack both can yield impressive and scary results.
MDSec
Tim Carrington
Red Teaming with ServiceNow
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
watchTowr Labs
By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution.. While we would enjoy a world in which we could be a little merciful - today we'll explore the painful world of blacklist-based security mechanisms. You can treat this post as a natural continuation of our CVE-2024-40711 writeup, which was written by fel
PortSwigger Research
Gareth Heyes
SAML roulette: the hacker always wins
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
Doyensec's Blog
!exploitable Episode Three - Devfile Adventures
# !exploitable Episode Three - Devfile Adventures 18 Mar 2025 - Posted by Francesco Lacerenza ## Introduction I know, we have written it multiple times now, but in case you are just tuning in, Doyensec had found themselves on a cruise ship touring the Mediterranean for our company retreat. To...
watchTowr Labs
Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, and so had to get my teeth into things quickly. Two primary goals were clear: 1. Look at something completely new - I quickly realized that I've never looked at any CMS solution, and so could be a fun good star
STAR Labs
Guest Post by Võ Văn Tiến Dũng (@Fr0st1706)
STAR Labs Windows Exploitation Challenge 2025 Writeup
STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge! Analyzing the binary We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode. Important structures There are two key structures used in this driver: handle and message entry.
Kri Dontje
Miniaudio and Adobe Acrobat Reader vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Embrace The Red
Sneaky Bits: Advanced Data Smuggling Techniques (ASCII Smuggler Updates)
This post highlights some new research, tricks and improvements on data smuggling techniques.