Sean Heelan's Blog
seanhn
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API &#821…
Rhino Security Labs
John De Armas
CVE-2025-26147: Authenticated RCE In Denodo Scheduler
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
samanthar@checkpoint.com
The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
Discover how an impersonated GenAI Tool led victims to download a fake media file concealing Windows executables
Johan Carlsson
Johan Carlsson
Confetti: Solution to my Intigriti May 2025 XSS Challenge
### Intro This is the official solution post for my Intigriti May 2025 XSS challenge, Confetti. I will try to explain the intended path and some background theory. I must admit that I don’t know the inner workings of Chrome and Firefox well enough to guarantee that all my explanations are...
William Charles Gibson
Duping Cloud Functions: An emerging serverless attack vector
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
watchTowr Labs
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Ivanti, and their Endpoint Manager Mobile (Ivanti EPMM) solution. For those out of the loop, don’t worry - as always, we’re here to fill you in. Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for s
GitHub
rcorrea35
Oracle VM VirtualBox - VM escape via VGA device
### Summary An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [[source](https://github.com/mirror/vbox/blob/74117a1cb257c00e2a92cf522e8e930bd1c4d64b/src/V...
STAR Labs
Devesh Logendran
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode. The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism. An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer.
Codean Labs
Edoardo Geraci
CVE-2025-32464 – Overflowing HAProxy regsub converter
CVE-2025-32464 is a vulnerability in HAProxy 2.2 up to 3.1.6-d929ca2 which allows an attacker to perform a DoS attack exploiting specific usages of the regsub converter. It cause a heap buffer overflow, making the whole HAProxy pool of workers crash. Given the nature of the vulnerability, a scenario where this vulnerability can be abused in order to obtain RCE is not feasible, nevertheless, we recommend checking whether you are using the regsub converter in your HAProxy configuration and updating whenever possible.
Synacktiv
Open-source toolset of an Ivanti CSA attacker
# Open-source toolset of an Ivanti CSA attacker In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient...
Project Zero
Google Project Zero
Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages
Guest post by Dillon Franke, Senior Security Engineer ,  20% time on Project Zero Every second, highly-privileged MacOS system daemons...
Doyensec's Blog
SCIM Hunting - Beyond SSO
# SCIM Hunting - Beyond SSO 08 May 2025 - Posted by Francesco Lacerenza ## Introduction Single Sign-On (SSO) related bugs have gotten an incredible amount of hype and a lot of amazing public disclosures in recent years. Just to cite a few examples: - Common OAuth Vulnerabilities - Sign in as...
Zero Day Initiative - Blog
Trend Micro Research Team
CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS
Please visit status.squarespace.com for updates 403 Forbidden 403 Forbidden Please visit status.squarespace.com for...
watchTowr Labs
SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)
It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email. In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution against yet another enterprise-targeting product - specifically, SysAid On-Premise (version 23.3.40) here-on referred to as “SysAid”. Clarifying SysAid’s Product Lineup Although
Check Point Research
alexeybu
Inferno Drainer Reloaded: Deep Dive into the Return of the Most Sophisticated Crypto Drainer
Despite shutting down, Inferno Drainer has returned with a sophisticated phishing campaign abusing Discord and targeting crypto users
Intrigus' Security Lab
intrigus
RealworldCTF 2024 – Protected-by-Java-SE – Writeup
How to find XXE in CodeQL using CodeQL – unintended CTF challenge solution.
Embrace The Red
How ChatGPT Remembers You: A Deep Dive into Its Memory and Chat History Features
Deep-Dive on how ChatGPT profiles your account and how it can reference it during conversations
Embrace The Red
MCP Server for Hosting COM Servers
Model Context Protocol -- MCP Server for Hosting COM Servers
Hacking Lab
Suhwan Jeong
FirmState: Bringing Cellular Protocol States to Shannon Baseband Emulation (to appear)
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic FirmState: Bringing Cellular Protocol States to Shannon Baseband Emulation (to appear) Suhwan Jeong , Beomseok Oh , Kwangmin Kim , Insu Yun , Yongdae Kim , CheolJun Park June 2025 Cite Publication Proceedings of the...
Embrace The Red
Model Context Protocol - New Sneaky Exploit, Risks and Mitigations
Model Context Protocol -- Exploits, Risks and Mitigations
Artificial truth
jvoisin
Making Burp Suite snappy on Asahi Linux
I've been using Asahi Linux for a couple of months now, and I'm pretty happy with it. There are of course some minor issues, mostly software not being available there, like Signal (thanks opensuse for providing builds). Today's papercut is Burp Suite being laggy and eating a worryingly high amount...
watchTowr Labs
SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while. Specifically, today, we’re going to be analyzing and reproducing: * CVE-2024-38475
jub0bs.com
Challenge: make this Go function inlinable and free of bounds checks
In this post, I challenge you to refactor a small function in such a way as to make it inlinable and free of bounds checks, for better performance. Disclaimer: this post assumes version 1.24.2 of the (official) Go compiler; you may get different results with other versions of the Go compiler or with other implementations of the Go language. Function inlining & bounds-check elimination ¶ Some familiarity with function inlining and bounds-check elimination is a prerequisite for attempting my challenge. The following three sections serve as a crash course on those topics. Feel free to skip straight to the challenge itself.
Stories by Renwa on Medium
Renwa
HTML Injection to Stored XSS and Account Takeover
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
samanthar@checkpoint.com
Exploring the State of AI in Cyber Security: Past, Present, and Future
Artificial intelligence is rapidly reshaping the cyber security landscape—but how exactly is it being used, and what risks does it introduce? At Check Point Research, we set out to evaluate the current AI security environment by examining real-world threats, analyzing how researchers and attackers are leveraging AI, and assessing how today’s security tools are evolving […]
PortSwigger Research
Zakhar Fedotkin
Drag and Pwnd: Leverage ASCII characters to exploit VS Code
Control characters like SOH, STX, EOT and EOT were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics
DARKNAVY
DARKNAVY
Fatal Vulnerabilities Compromising DJI Control Devices
As logistics drones weave through buildings and surveying equipment delineates urban landscapes, the capillaries of the low-altitude economy are sketching the future with millimeter-level precision. DARKNAVY consistently focuses on the construction and breaching of drone security defenses. In this research, we discovered a fatal exploit chain in DJI remote control devices, leading to the complete compromise of the security defenses within the DJI remote controller. How can we assist industry leader DJI in fortifying its security defenses? What potential risks do these vulnerabilities reveal? Welcome to read this article.
Atredis Partners
Sam
3D Printing Flying Probe Test Harnesses: Can you?
3D printing test probe harnesses on decade old printers, and you can too!
watchTowr Labs
Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will. No heist story is ever complete without a 10-metre thick steel door vault, silent pressure sensors beneath marble floors and laser grids slicing the air like spiderwebs — befitting of a crew reckless enough to think they can beat it all. Enterprises continue
DARKNAVY
DARKNAVY
The Jailbroken Unitree Robot Dog
The history of humanity’s domestication of wolves has spanned forty thousand years – we used firelight and patience to soften the wildness in their eyes, transforming their fangs into the loyalty that guards our homes. When various robot dogs created by America’s Boston Dynamics and China’s Unitree Robotics leap and flip gracefully under the spotlight, this ancient symbiotic relationship seems to take on a new meaning in the cyber age: trust that once required thousands of years of genetic selection to build can now be achieved with just a line of code.
PortSwigger Research
Gareth Heyes
Document My Pentest: you hack, the AI writes it up!
Tired of repeating yourself? Automate your web security audit trail. In this post I'll introduce a new Burp AI extension that takes the boring bits out of your pen test. Web security testing can be a
RET2 Systems Blog
Jack Dates
Exploiting the Synology DiskStation with Null-byte Writes
In October, we attended Pwn2Own Ireland 2024 and successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issu...
Synacktiv
CVE-2025-23016 - Exploiting the FastCGI library
# CVE-2025-23016 - Exploiting the FastCGI library At the beginning of 2025, as part of our internal research, we discovered a vulnerability in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how...
Rhino Security Labs
Tyler Ramsbey
New Pacu Module: Secret Enumeration in Elastic Beanstalk
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
GitHub
sleightofalex
OnlyOffice: Docker Man-in-the-middle attack
### Summary The OnlyOffice Community Server Docker image downloads a `.deb` file from [archive.ubuntu.com](http://archive.ubuntu.com/) via HTTP. The download is thus vulnerable to Man-in-the-Middl...
spaceraccoon.dev
Cybersecurity (Anti)Patterns: Busywork Generators
Many cybersecurity programmes fall into a trap of creating more and more (busy)work, eventually consuming a majority of resources and attention. In my first post in a series on cybersecurity (anti)patterns, I discuss why we end up with busywork generators and how to avoid them.
DARKNAVY
DARKNAVY
A First Glimpse of the Starlink User Ternimal
I think the human race has no future if it doesn’t go to space. —— Stephen Hawking Starlink is a low Earth orbit (LEO) satellite internet service provided by SpaceX. Users connect to near-Earth orbit satellites through a user terminal, which then connects to the internet via ground gateways. As the new generation of satellites gradually incorporates laser links, some satellites can communicate with each other via laser. This both reduces reliance on ground stations and improves transmission efficiency, enhancing global coverage.
Project Zero
Google Project Zero
The Windows Registry Adventure #6: Kernel-mode objects
Posted by Mateusz Jurczyk, Google Project Zero Welcome back to the Windows Registry Adventure! In the previous installment  of the ser...
Check Point Research
antoniost@checkpoint.com
CVE-2025-24054, NTLM Exploit in the Wild
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […]
Kri Dontje
Eclipse and STMicroelectronics vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
DARKNAVY
DARKNAVY
Reconstructing the $1.5 Billion Bybit Hack by North Korean Actors
Both the Attackers and Victims Made Critical Mistakes On February 21, 2025, the cryptocurrency exchange Bybit experienced the most significant financial loss in Web3 history when nearly $1.5 billion was illicitly transferred from its multi-signature wallet by North Korean threat actors. The DARKNAVY team has been closely monitoring security developments within the Web3 ecosystem. Following the Bybit incident, we conducted a reconstruction of the attack, analyzing it from the perspectives of the attackers, the developers, and the transaction signers.
Check Point Research
samanthar@checkpoint.com
Renewed APT29 Phishing Campaign Against European Diplomats
Check Point Research uncovers APT29 targeting European diplomatic entities with phishing attacks spreading malware Grapeloader
Intrigus' Security Lab
intrigus
Fixing Decompilation of Stack Clash Protected Binaries
How to fix decompilation when everything looks ugly, because stack probing breaks stack pointer tracking.
Check Point Research
shlomoo@checkpoint.com
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: In our previous blog on process injections we explained the foundations of this topic and basic ideas behind detection and prevention. We also proposed a new technique dubbed Thread […]
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server denial of service vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Eclipse ThreadX NetX Duo HTTP server chunked PUT request integer underflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Synacktiv
iOS 18.4 - dlsym considered harmful
# iOS 18.4 - dlsym considered harmful Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using **dlsym()**. This blogpost details our observations and the root cause of the...
The GitHub Blog
Shelby Cunningham
How to request a change to a CVE record
Learn how to identify which CVE Numbering Authority is responsible for the record, how to contact them, and what to include with your suggestion.
Synacktiv
Hack the channel: A Deep Dive into DVB Receiver Security
# Hack the channel: A Deep Dive into DVB Receiver Security Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article,...