Talos - Vulnerability Reports
Asus Armoury Crate AsIO3.sys authorization bypass vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Asus Armoury Crate AsIO3.sys stack-based buffer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
itm4n’s blog
itm4n
Offline Extraction of Symantec Account Connectivity Credentials
In the previous post, I highlighted some of the changes made in the Symantec Management Agent, and showed how it affected the retrieval of the Account Connectivity Credentials (ACCs), based on original research by MDSec. Although my initial intent was to implement a check for PrivescCheck, I ended up extending the research on the subject, and eventually found how to extract the credentials offline.
Stratum Security Blog
Colin McQueen
Remote Code Execution with GitHub Feature
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Posts on Slonser Notes
Make Self-XSS Great Again
Disclaimer: This article is intended for security professionals conducting authorized testing within the scope of a contract. The author is not responsible for any damage caused by the application of the provided information. The distribution of malicious programs, disruption of system operation, and violation of the confidentiality of correspondence are pursued by law. Introduction Many security researchers are familiar with the frustrating experience of discovering an XSS vulnerability that requires complex actions within an account, effectively making it only reproducible on the attacker’s account and thus losing its practical value.
Check Point Research
alexeybu
From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
Learn how Discord's invite links are hijacked and reused to redirect users to harmful servers in place of trusted communities
spaceraccoon.dev
Cybersecurity (Anti)Patterns: Frictionware
Nobody cares about the security tools you build. Here’s how to avoid getting sucked into onboarding hell with frictionware, and actually get traction.
GitHub
rcorrea35
OpenAI Operator - Locking Operator on FullScreen
### Summary When Operator actuate on a page, the website can trigger [Fullscreen API](https://developer.mozilla.org/en-US/docs/Web/API/Fullscreen_API). If the page can grab the attention of Operat...
Kri Dontje
catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
RET2 Systems Blog
Jack Dates
Streaming Zero-Fi Shells to Your Smart Speaker
In October 2024, RET2 participated in the “Small Office / Home Office” (SOHO) flavor of Pwn2Own, a competition which challenges top security researchers to c...
Synacktiv
NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073
# NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and...
Talos - Vulnerability Reports
Adobe Acrobat Reader Annotation Destroy Use-After-Free Vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Adobe Acrobat Reader Font CFF2 PrivateDict vsindex Out-Of-Bounds Read Vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
itm4n’s blog
itm4n
Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck
You may have heard or read about Symantec Account Connectivity Credentials (ACCs) thanks to a blog post published by MDSec last December (2024). I wanted to integrate this research as a new check in PrivescCheck, but this turned out to be a bit more challenging than I thought.
Check Point Research
samanthar@checkpoint.com
CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage
Check Point Research uncovers Stealth Falcon's cyber espionage campaign exploiting a Microsoft Zero Day Vulnerability
Codean Labs
Thomas Rinsma
CVE-2025-47934 – Spoofing OpenPGP.js signature verification
CVE-2025-47934 allows attackers to spoof arbitrary signatures and encrypted emails that appear as valid in OpenPGP.js. The only requirement is access to a single valid signed message from the target author ("Alice"). Since this undermines the core principle of PGP and impacts integrating applications directly, we strongly recommend updating OpenPGP.js to version v5.11.3, v6.1.1, or newer.
Synacktiv
Exploiting Heroes of Might and Magic V
# Exploiting Heroes of Might and Magic V Heroes of Might and Magic V is a turn-based strategy video game developed by Nival Interactive. A map editor is provided with the video game. Players can create maps that can be played in solo or multiplayer. This is an interesting attack vector. In this...
Stratum Security Blog
Colin McQueen
Account Takeover through Gluu Server Misconfiguration
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
STAR Labs
Lin Ze Wei
Solo: A Pixel 6 Pro Story (When one bug is all you need)
During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro. While the exploit process itself is relatively straightforward to reproduce (in theory we just need to find the correct symbol offsets and signatures for our target device), what’s interesting about Pixel 6 Pro is that it uses a different Mali GPU from the Pixel 7/8, which lacked support for a feature that one of the two vulnerabilities within the exploit relied on:
Rhino Security Labs
David Yesland
Multiple CVEs in Infoblox NetMRI: RCE, Auth Bypass, SQLi, and File Read Vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Hacking Lab
Taisic Yun
Too Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic Too Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea Taisic Yun , Suhwan Jeong , Yonghwa Lee , Seungjoo Kim , Hyoungshick Kim , Insu Yun , Yongdae Kim (to...
The GitHub Blog
Joseph Katsioloudes
Hack the model: Build AI security skills with the GitHub Secure Code Game
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.
The GitHub Blog
Jaroslav Lobacevski
DNS rebinding attacks explained: The lookup is coming from inside the house!
DNS rebinding attack without CORS against local network web applications. See how this can be used to exploit vulnerabilities in the real-world.
Talos - Vulnerability Reports
Parallels Desktop prl_vmarchiver Unarchive Hard Link Privilege Escalation
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Parallels Desktop prl_packer_inplace PVMP Unpack Directory Traversal Privilege Escalation
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Parallels Desktop prl_disp_service Snapshots SymLink Change Ownership Privilege Escalation
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
secret club
https://secret.club/author/memn0ps
Hypervisors for Memory Introspection and Reverse Engineering
Introduction
DFSEC Research
Blasting Past iOS 18
Dataflow Security blog
DARKNAVY
DARKNAVY
Achieving Persistent Client-Side Attacks with a Single WeChat Message
From White House staff to battlefield journalists, instant messaging (IM) applications are indispensable communication tools for countless individuals. Whether it’s WhatsApp, Telegram, WeChat, or QQ, they have become the “digital arteries” of modern society, carrying core activities such as social interaction, payments, and office work for billions of users. Their security directly affects personal privacy, financial assets, and even national security. In fact, security research on IM platforms has been ongoing for years. In 2019, Project Zero disclosed CVE-2019-8641 in iMessage[1], a memory corruption issue. Since iMessage automatically parses rich media content in messages, an attacker could achieve remote code execution by sending a specially crafted file without user interaction, gaining complete control over the target iPhone.
STAR Labs
Tan Ze Jian
Gone in 5 Seconds: How WARN_ON Stole 10 Minutes
As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying write-up. In this blog post, I will explain the root cause as well as an alternative exploitation technique used to exploit the page UAF, achieving arbitrary kernel code execution. The following exploit was tested on a Pixel 8 running the latest version available prior to the patch.
DFSEC Research
Blasting Past iOS 18
Dataflow Security blog
jub0bs.com
Pure vs. impure iterators in Go
TL;DR ¶ Go has now standardised iterators. Iterators are powerful. Being functions under the hood, iterators can be closures. The classification of iterators suggested by the documentation is ambiguous. Dividing iterators into two categories, “pure” and “impure”, seems to me preferrable. Whether iterators should be designed as “pure” whenever possible is unclear. The advent of iterators in Go ¶ The iterator pattern was popularised by the classic “Gang of Four” book as [providing] a way to access the elements of an aggregate object sequentially without exposing its underlying representation.
Project Zero
Google Project Zero
The Windows Registry Adventure #8: Practical exploitation of hive memory corruption
Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post , we focused on the general security analysis of the registry a...
STAR Labs
Manzel Seet & Sarah Tan
Badge & Lanyard Challenges @ OBO 2025
Introduction We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡ If you are into hardware and IoT security, you’ll know one thing’s for sure: the STAR Labs SG badge is not your average conference bling bling. This year’s badge isn’t just a collector’s item — it’s a playground for the curious, packed with new challenges inspired by months’s worth of research and hackery.
GitHub
rcorrea35
OpenAI Operator - Exfiltration of Cross-origin URL
### Summary Operator has [several safety checks](https://platform.openai.com/docs/guides/tools-computer-use#acknowledge-safety-checks) through user confirmation to mitigate Indirect Prompt Injecti...
The GitHub Blog
Greg Ose
Inside GitHub: How we hardened our SAML implementation
See how we addressed the challenges of securing our SAML implementation with this behind-the-scenes look at building trust in our systems.
Embrace The Red
AI ClickFix: Hijacking Computer-Use Agents Using ClickFix
AI Clickfix
Atredis Partners
Jordan Whitehead
A Peek into an In-Game Ad Client
A little bit ago I re-installed the racing game Trackmania, and I noticed I got product ads displayed at me in-game alongside the racetrack. Where were those coming from?
The GitHub Blog
Man Yue Mo
Bypassing MTE with CVE-2025-0072
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
Project Zero
Google Project Zero
The Windows Registry Adventure #7: Attack surface analysis
Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Regi...
DARKNAVY
DARKNAVY
Argusee: A Multi-Agent Collaborative Architecture for Automated Vulnerability Discovery
As we envisioned in DARKNAVY INSIGHT | The Most Imaginative New Applications of 2024: The next generation of AI agents will have excellent reasoning and generalization abilities and be skilled at using a variety of security research tools, inheriting a wealth of human expert knowledge. They will be able to discover more 0-day vulnerabilities in the real world, like top security experts. Unsurprisingly, as Large Language Models (LLMs) demonstrate increasing proficiency in handling complex tasks, Agent technology is emerging as a new paradigm in the field of vulnerability discovery. Since Google Project Zero released Naptime[1] last year, an increasing number of Agent-based auditing tools are appearing. By providing LLMs with the necessary toolsets and source code for testing, these tools simulate the behaviour of security researchers to perform code audits and vulnerability confirmation.
Sean Heelan's Blog
seanhn
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API &#821…
Rhino Security Labs
John De Armas
CVE-2025-26147: Authenticated RCE In Denodo Scheduler
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
samanthar@checkpoint.com
The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
Discover how an impersonated GenAI Tool led victims to download a fake media file concealing Windows executables
Johan Carlsson
Johan Carlsson
Confetti: Solution to my Intigriti May 2025 XSS Challenge
### Intro This is the official solution post for my Intigriti May 2025 XSS challenge, Confetti. I will try to explain the intended path and some background theory. I must admit that I don’t know the inner workings of Chrome and Firefox well enough to guarantee that all my explanations are...
William Charles Gibson
Duping Cloud Functions: An emerging serverless attack vector
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
itm4n’s blog
itm4n
Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation
The built-in “MareBackup” scheduled task is susceptible to a trivial executable search order hijacking, which can be abused by a low-privileged user to gain SYSTEM privileges whenever a vulnerable folder is prepended to the system’s PATH environment variable (instead of being appended).
watchTowr Labs
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Ivanti, and their Endpoint Manager Mobile (Ivanti EPMM) solution. For those out of the loop, don’t worry - as always, we’re here to fill you in. Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for s
GitHub
rcorrea35
Oracle VM VirtualBox - VM escape via VGA device
### Summary An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [[source](https://github.com/mirror/vbox/blob/74117a1cb257c00e2a92cf522e8e930bd1c4d64b/src/V...
STAR Labs
Devesh Logendran
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode. The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism. An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer.