Security Review #259

We discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD). The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.

I created a new attack called clipjacking. One might even call it clickjacking but better. In this post, I'll show you how to do it and some potential applications.

The desktop version of Visual Studio Code runs on Electron. An XSS vulnerability in the minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer.

What happens when you skip memory allocation, skip writing, and weaponize thread context alone? This post explores a new class of process injection that lives entirely in the execution layer - no alloc, no write, just a well-placed hijack.

Branch Privilege Injection (CVE-2024-45332) brings back the full might of branch target injection attacks (Spectre-BTI) on Intel. Intel's hardware mitigations against these types of attacks have held their ground for almost 6 years. In our work, we demonstrate how these mitigations can be broken due to a race condition in Intel CPUs.

We're diving into a topic every network forensic analyst must get familiar with: tcpdump and the power-packed world around it - Wireshark, pcap, pcapng, and all the little details that actually matter when you’re dealing with real-life packet analysis.

In this post, I'd like to walk y’all through a relevant threat vector of an AI-based threat: polymorphic malware. We’ll be walking through a five-step detection framework, including prerequisites, hypotheses to test, actionable queries, limitations, false-positive mitigation, and prevention measures.

I demonstrate an approach to fuzzing an RTOS firmware using AFL++’s Unicorn mode. This firmware complicates things by using dynamic memory and making access to OS and hardware features not under emulation.

We discuss the use of steganography to embed malicious payload, its capability to bypass EDR, and demonstrate the specific use case of bypassing Windows Defender.

In this blog post, I will explain a vulnerability in Apache Superset that allows low privileged users to take ownership of published dashboards, charts, or datasets via the application's export and import functionalities, which lack a validation process during import.

I'm going to walk you through how to analyze proxy logs - what tools you can use, what patterns to look for, and where to dig deeper - but keep in mind, every investigation is different, so while I'll show you the process, the real analysis is something you will need to drive based on your case.

We detail the steps of a compromise starting with the exploitation of a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server. Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials and the intrusion culminated in the deployment of ELPACO-team ransomware, approximately 62 hours after the initial Confluence exploitation.

In this article, we will explore the identification and exploitation of advanced CORS misconfiguration vulnerabilities. We will also examine several attack vectors that can help us weaponize cross-origin resource sharing misconfigurations, such as reading responses from internal hosts.

Analyze CVE-2025-32756, a Fortinet buffer overflow in the administrative API of several Fortinet products: FortiCamera, FortiMail, FortiNDR, FortiRecorder and FortiVoice.

A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. We investigate the attack chain that involves phishing emails, RAR files and multistage payloads.

In this blog post, I’ll explain a simple technique to run meterpreter shellcode while evading Windows Defender and other AVs. We will explore how defenders can setup detections against this type of attack and explore possible mitigations.

Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions.

In this post, we're covering 5 common detection pitfalls that allow threats to bypass even "well-written" rules. These are bugs not in your tools, but in your assumptions.

In this post, I will detail how to bypass the hooks used by LD_PRELOAD rootkits, a technique that is effective against most, if not all, of them.

We found an RCE (CVE-2025-26147) in Denodo Scheduler, an application administrators use to configure servers, databases, and specify forms of authentication.

In this article, we will be diving into the MS-RPC protocol and how to automate vulnerability research using a fuzzing approach.

In this second part of the series, we will discuss on the role of stealer logs in asset discovery.

An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize function (CVE-2025-30712). An attacker can exploit this condition and achieve linear read/write primitives which can then be escalated to arbitrary read/write access within the host's memory.

We evaluate how AI-driven tools supercharge bug bounty hunting. Boost reconnaissance, streamline vulnerability exploitation, and enhance reporting.

CVE-2025-31250, allows prompt spoofing on macOS. An application A can make macOS show a permission consent prompt appearing as if it were coming from any Application B with the results of the user's consent response being applied to any Application C.

This article explains how to recover deleted files using Python by scanning raw disk data for known file signatures. This step-by-step guide walks you through creating a basic file carving tool to retrieve lost JPGs, PDFs, DOCX files, and more.

Netwrix Password Secure is an enterprise password manager, which covers a variety of functions that go beyond the normal password protection. One of these features allows to securely share passwords, keys and secrets with other users.This blog post describes how we found a way to use this functionality to execute code on other users’ systems.

We delve into EvilWorker, an Adversary-in-the-Middle (AiTM) attack framework based on leveraging service workers and designed to conduct credential phishing campaigns.

We deep dive into a Lumma Stealer campaign using fake CAPTCHA sites that instructed victims to paste a (malicious) PowerShell-encoded command into Windows' command-line interface..

We identified three distinct JARM signatures that reliably identify Ligolo proxy servers in the wild: one for Ligolo 0.7.x, one for Ligolo 0.8.x, and one for Ligolo-MP (which is shared with Sliver C2). We then developped a method to distinguish Sliver proxy from genuine Ligolo-MP proxies.

We detail a scenario where you need to establish stealthy persistence on macOS without alerting standard security tools, by leveraging the TCC permissions of a vulnerable application.

In this article, we will explore the fundamental concepts of stealer logs, the types of data they capture, and how they can be used to analyze the initial IoC in some cases. Additionally, we will present a case study to illustrate how testers can effectively leverage stealer logs in security testing.

Two newly discovered vulnerabilities (CVE-2025-4427 CVE-2025-4428) in Ivanti Endpoint Mobile Manager are being actively exploited leading to severe data breach. This blog details how to extract forensics from a live Ivanti EPMM appliance compromised through these vulnerabilities.

Continuing on API client security, we cover more sandbox bypasses, this time in Bruno and Hoppscotch, as well as JavaScript sandboxing best practices.

We provides an overview of Microsoft Deployment Toolkit (MDT), and highlight common misconfigurations, particularly how deployment shares are often broadly accessible, allowing attackers to extract credentials.

This post presents an in-depth technical analysis of Skitnet, a multi-stage malware that leverages multiple programming languages and stealth techniques to execute its payload and maintain persistent access to infected systems.

This blog reviews the technique for establishing a full stateful TCP connection with a spoofed source IP address from the same subnet using ARP poisoning.

We explore current detection/forensic techniques, real-world examples and advanced response procedures to build timelines and attribution for model-based attacks.

We detail CVE-2025-32421, a race-condition vulnerability in the Next.js framework and who how the batcher mechanism can be manipulated in combination with a cache-poisoning attack, potentially leading to Stored-XSS or DoS under specific misconfigurations.

We dive into the technical reverse engineering of Valve Anti-Cheat (VAC), explaining how the anti-cheat modules work.

While SSO often takes center stage, another standard is often under-tested - SCIM (System for Cross-domain Identity Management). In this blogpost we will dive into its core aspects & the insecure design issues we often find while testing implementations.

In this blog post we're going to take a deep dive into the SMEP mitigation or Supervisor Mode Execution Prevention, and see how it can be bypassed. This is a security feature present in modern Intel processors, and its purpose is to prevent kernel-mode code from executing code located in user-space memory.

Perhaps one of the oldest mitigations implemented in all software is ASLR (Address Space Layout Randomization). This blog combines a bit of research differentiating the code of Nt functions available to a medium integrity process, which used to help bypass kASLR. We’ll also take a look at the subsequent patch and how it was implemented.

In the world of web application security, a Server-Side Request Forgery (SSRF) vulnerability can sometimes open a Pandora’s box, leading to Remote Code Execution (RCE) with the right set of conditions. This is the story of how I explored an SSRF vulnerability and escalated it to RCE within a .NET web application.

In this second part, I will cover required information in order to be able to properly write a shellcode for Windows platform: the Process Environment Block, the format of Portable Executable files and a short introduction to x86 Assembly.

In this last part of the series, we will write a simple "SwapMouseButton" shellcode, a shellcode that will swap left and right mouse buttons.

This article contains an overview of shellcode development techniques and their specific aspects. We will see what a shellcode is and how it works.