Security Review #255

We investigate a major blind spot in Linux runtime security tools caused by the io_uring interface, an asynchronous I/O mechanism that bypasses traditional system calls. In this blog, we will explore how io_uring can also be used as an evasion technique that affects most Linux runtime security tools today.

In this post, we demonstrate how injecting trigger phrases into MCP tool descriptions to exfiltrate the user’s entire conversation history. Customized triggers can be crafted to activate specifically when sensitive data patterns appear in the conversation, maximizing the value of the exfiltrated data while minimizing noise.

A technical deep dive into how the ChaCha20 cipher is taking on AES as the gold standard for symmetric encryption, and a lesson about the power of simplicity in cryptographic design.

We discuss a vulnerability in the way MCP is implemented that undermines its core security promises. We call this vulnerability "line jumping", as it allows malicious MCP servers to execute attacks before any tool is even invoked.

On every system, there's a process whose Process ID is 0. This process is called the System Idle Process, and contains threads that execute when no other thread is ready to run on a given processor. In this article I provide a Proof-of-Concept to get code execution inside of this process.

This write-up covers a deep analysis - from manifest inspection to dynamic analysis - of the Android VINETHORN spyware, capable of sophisticated data theft and persistent surveillance.

We discuss a security vulnerability in Commvault's software (CVE-2025-34028). The vulnerability allows pre-authenticated remote code execution, discovered through a combination of server-side request forgery (SSRF) and arbitrary file writing.

Sysmon is part of the Sysinternals suite and is a powerful Windows system service and device driver that logs system activity to the Windows Event Log. By configuring Sysmon properly, security professionals can detect, analyze, and respond to malicious behavior effectively.

Threat actors often use remote monitoring and management (RMM) software to install malware, disable security controls, escalate privileges and preserve continuing access to compromised networks. This report analyzes and provides detection artifacts and threat hunting queries for three types of commonly abused RMM tools - AnyDesk, Atera Agent and MeshAgent.

I found a security issue related to a third-party application (PostgreSQL) in ZYXEL USG FLEX-H Series. An architectural misconfiguration exposes the database service to external access. The absence of authentication requirements for database access, which enables an attacker to execute arbitrary queries and gain remote code execution.

In this blog post, we will demonstrate how to prepare the target and perform a fault injection attack to bypass the Read Out Protection, a security feature developed by STMicroelectronics to protect firmware and sensitive customer data.

One persistence mechanism that many people miss during incident response is a small registry key called AppInit_DLLs. In this article , I'll explain how attackers use it to stay hidden, and how you can find it during forensic investigation.

In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let’s elaborate on their essence, difference, and use.

We detail the Fast Flux attack, that rotates DNS IP addresses to help botnets hide servers and avoid detection. We also provide basic guidelines for tracking and mitigating this threat.

This blog article will explore the significance of Kubernetes API Server Audit Logs in threat hunting, guide you on how to interpret them, and outline best practices for leveraging them to identify potential security threats.

This post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves.

We detail an attack chain leveraging Node.js to lure users into downloading a malicious installer disguised as legitimate software. We also provide an example of the emerging inline script execution technique, and recommendations to help users and defenders reduce the impact of these attacks in their environments.

In this post, we'll explore how to bypass AMSI detection for a known malicious PowerShell command - Invoke-Mimikatz - using Frida to hook and manipulate the AmsiScanBuffer function at runtime.

A short blog to explain how I discovered that you could use a parameter called evt in SVG events, and how it can be leveraged in a Cross-Site Scripting (XSS) attack.

We detail how we were able to breach a hardened external perimeter and gain code execution to an on-premises SQL server, resulting in full Active Directory compromise.

In this post, I'll break down the most effective redirector techniques you can use to hide your C2 infrastructure, blend in with normal traffic, and outsmart modern defenses. I'll describe each technique and include code snippets for practical explanation.

Copilot for Office 365 includes integration with Notepad in 2025, allowing users to request the AI assistant to rewrite paragraphs or text. In this blog post, I will share my technical observations and explore how Notepad AI services, as well as similar applications with these features, could potentially be compromised.

We provide a technical analysis of Interlock, a ransomware intrusion set that conducts Big Game Hunting and double extortion campaigns.

What follows is the process I went through in developing a KQL query used to detect anomalous or hijacked web sessions by modeling a user's expected state at a given moment and captures changes to that state over time.

I detail how I found broken access and Null Pointer Dereference in the macOS IOMobileFramebuffer (AppleCLCD2) driver, and how I exploited it.

We discovered a vulnerability (CVE-2025-23016) in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how and in what context this vulnerability can be exploited. Finally, we'll see how to protect against it.

In this article, we introduce GoLibAFL, a fuzzer for Go code built on top of LibAFL. GoLibAFL provides state-of-the-art fuzzing techniques and offers great customizability for advanced users.

CVE-2025-21299 and CVE-2025-29809 vulnerabilities are credential guard bypasses for Kerberos TGTs. Insufficient validation of the Kerberos krbtgt service name within the TGT can lead to a bypass of credential guard, and therefore extraction of a primary TGT from the host that should otherwise be prevented.

In this post, we introduce two newly discovered UAF within the Browser process, identified during our vulnerability research. In the past, these flaws could have led to critical exploits, but thanks to Chrome’s latest security technology, MiraclePtr, they are no longer exploitable.

Replit is a powerful platform that builds and deploys code for you, takes care of the infrastructure, and just makes life easier overall. In this blog post, we detail a solid technique to route your C2 traffic using Replit domains, which are generally trusted and widely used.

I detail an UAC Bypass that involves taking advantage of the fact that auto-elevated processes, such as the Task Manager, write to the Intel Graphics Driver ShaderCache directory.

In this post, we will discuss Native AOT - Microsoft's latest Ahead-Of-Time Compilation Technology - in great detail from a reverse engineering standpoint. We'll talk about what it is, what it looks like in a general purpose decompiler, and how we can (automatically) extract this metadata to reconstruct most of the original type hierarchy.

Here's how I figured out how to control my apartment's heating in a way that leaves no trace using the existing thermostat already fitted by my landlord, and maybe learn a bit about radios along the way.

This post isn’t meant to dive too deep into the technical details, but rather to give a general idea of how Kerberos relay attacks work, what’s possible, what isn’t, and where the limitations lie.

We detected a Cross-Site Scripting (XSS) vulnerability in Grafana (CVE-2025-2703). Attackers could exploit the vulnerability to steal data from other users or elevate their privileges by targeting users with more permissions.

We delve into CVE-2025-31201, a vulnerability that affects a shared library named libRPAC. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.

This article digs into the reasons behind PowerShell’s efficiency, examines useful methods and real-world scripts that red teamers utilize and discusses critical mitigation tactics for defenders. This guide will help you increase your PowerShell toolset and gain a deeper grasp of fundamental post-exploitation.

The network need not be a mystery. Network evidence in the Windows Registry refers to the traces, configurations, and historical data related to a system's network activity. This article delves into the registry to identify such activity.

Snapshot fuzzing enables security engineers to effectively test software that is traditionally difficult to analyze, such as kernel-level software. Whether you're auditing drivers or other kernel-mode components, including antivirus software, snapshot fuzzing provides a robust way to discover critical vulnerabilities.

VS Code’s bootstrapping functionality, which enables enterprise users to install new instances of VS Code with pre-packaged extensions. In this article, we explain who this functionality can be abused to load malicious plugins and provide initial access.

NASA’s Core Flight System (cFS) is an open-source software framework that supports mission operations by providing a modular and scalable architecture. We uncovered critical vulnerabilities that could be exploited to disrupt mission-critical systems. These include Remote Code Execution (RCE), Denial of Service (DoS), and Path Traversal vulnerabilities.

In this post, we will explore how OTA package authentication works in Android and detail a signature verification bypass in a function that verifies the integrity of ZIP archives in the AOSP framework.

We discovered CVE-2025-25364, which is a crit­i­cal com­mand in­jec­tion vul­ner­a­bil­i­ty dis­cov­ered in the me.connectify.SMJobBlessHelper XPC ser­vice, a priv­i­leged helper tool used by Speed­i­fy VPN on ma­cOS. If exploited, it al­lows an at­tack­er to es­ca­late priv­i­leges, ex­e­cute unau­tho­rized com­mands, and gain full con­trol over the af­fect­ed ma­cOS sys­tem.

What is CORS and how can a CORS misconfiguration lead to security issues. In this blog post, we'll examine some case studies of how a broad or faulty CORS policy led to dangerous vulnerabilities in open source software. We’ll also discuss DNS rebinding, an attack with similar effects to a CORS misconfiguration that’s not as well known among developers.

In this article, I detail how I executed an interesting path to escalating my privileges to domain admin, starting with an access to an IDRAC controler with default credentials.

This blog post discusses CVE-2025-24076, which allows an attacker to gain local system privileges from a low privileged user by leveraging the well-known Dynamic-link library (DLL) hijacking technique. The blog also covers CVE-2025-24994 as a side product.