Security Review #266

This guide provides the key evaluation criterias for EDR solutions, including core telemetry features, integration capabilties, UI, storage, detection and resistance to evasion techniques.

I decided to setup a VNC honeypot. My goal was to essentially spin up an Ubuntu server and configure it in such a way, where when someone connected, it would start a recording of the active VNC session, and once disconnected, would save that recording into a file which i could retrieve at a later date.

In this article, I will explore the use of io_uring, a legitimate Linux kernel feature designed for high-performance asynchronous I/O, but which can be adapted to evade traditional syscall-based detection mechanisms. We will see how modern techniques can enable stealthy and silent operations, bypassing EDR and other monitoring mechanisms, and what this means for both attackers and defenders.

As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. In this article, we will go through some vulnerabilities we found in an Android drone control application, allowing us to take control of a recent smartphone by faking the drone itself.

We detail CVE-2025-6514, a critical vulnerability in the mcp-remote project used by Model Context Protocol (MCP) clients. By abusing the authorization mechanism, a malicious remote MCP server can trigger remote code execution on the client.

We detail how timed mutexes can be leveraged to evade anti-virus sleep detection.

We analyze CVE-2024-30088, a double-fetch race condition bug in the Windows Kernel Image ntoskrnl.exe, and chain the exploit to escape the Chrome Renderer Sandbox, achieving EoP from Untrusted Integrity Level to SYSTEM.

Creating vulnerable (on purpose) programs to leak the NtReadVirtualMemory address for stealthier API resolution (no GetProcAddress, GetModuleHandle or LoadLibrary in the IAT).

The FileFix technique rely on priming the target user's clipboard with a malicious command, achieved via JavaScript in an HTML attachment or hosted site. In this short blog, we'll talk about methods for detecting and preventing the FileFix technique.

Linux hardening guides often overlook a subtle but serious attack vector: the ability to drop into a debug shell via the Initial RAM Filesystem (initramfs). In this post, it is demonstrated how this attack works on modern Linux distributions, such as Ubuntu and Fedora, and explained why existing guidance often fails to mention it.

We investigate AWS Organizations cross-account pivoting and compromise by abusing misconfigured delegation mechanisms, uncovering how attackers can abuse legitimate features to persist, move laterally and escalate privileges across all accounts in a multi-account AWS environment.

A critical double free vulnerability in the pipapo set module of the Linux kernel’s NFT subsystem has been discovered. An unprivileged attacker can exploit this vulnerability by sending a specially crafted netlink message, triggering double-free error with high stability. The attacker can take advantage of kernel exploitation techniques to achieve local privilege escalation.

In this article, we demonstrate the ability of a user accessing a Confluence database with read and insert privileges to forge and insert a rogue token for any user, achieving access to the Confluence instance with the highest privileges. The token can then be used in existing tooling to dump and search Confluence content.

In this last article of the series, we will showcase a vulnerability enabling the attacker to go the last mile. Despite compromising all endpoints, an attacker would still be executing code under the same low-privileged user as FortiClient's UI. However, during our research on FortiClient, we discovered a local privilege escalation affecting macOS machines running FortiClient.

We explore a lesser-known Windows code injection technique using the MessageBoxIndirect API and its callback mechanism. It’s a creative method for executing shellcode by exploiting the MSGBOXPARAMSW structure.

This post details several privilege escalation vulnerabilities we identified in Lenovo Vantage, a common management platform bundled with Lenovo laptops. We'll detail Vantage's architecture and its implications in the impact, and mitigation of, the logic bugs identified. The following CVEs were assigned to track the described issues: CVE-2025-6230, CVE-2025-6231, CVE-2025-6232

The Azure Front Door Web Application Firewall (WAF) has an "IP restriction" option that can be bypassed with the inclusion of an X-Forwarded-For HTTP header.

The Azure Load Testing service supports Locust configuration files which are just Python code and can be executed in the Load Testing environment. This allows us to query the resource's metadata service endpoint, generate reverse shell connections and extract Key Vault secret and certificate references.

A pre-authentication vulnerability exists within DotNetNuke (DNN), assigned CVE-2025-52488, that allows attackers to steal NTLM hashes.

In this article I would like to detail an exploitation showcase of vulnerability in Windows NTFS implementation. This vulnerabilty, CVE-2025-49689, is reachable through specific crafted virtual disk (VHD). We will review the root-cause leading to multiple corruptions, and how it can be exploited in order to achieve Escalation of Priveleges.

In this blog, we'll focus on CVE-2025-5777, an insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

We illustrate issues raised by the intersection of vibe coding and security by reviewing the security design of BitChat, a decentralized messaging protocol. We identify and detail a critical identity flaw that enables trivial man-in-the-middle (MITM) attacks.

A detailed walkthrough of a technique to create schizophrenic ZIP file - a file that appears different depending on how it's parsed.

While digging into the internals of my new Lenovo ThinkPad, I came across an unexpected discovery that quickly escalated from curiosity to a viable privilege escalation vulnerability (CVE-2025-1729).

Filesystem redirection attack is a persistent vector for privilege escalation. This blog outlines how RedirectionGuard proactively prevents unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders.

This blogpost is about a minor discovery I made regarding a writeable file inside the Windows folder that is present on Lenovo machines and can be abused as an AppLocker bypass.

We delve into how Microsoft Entra Workload Identities can be abused and what defenses are available to protect them. We will review what Workload Identities are, the Oauth App consent abuse and service principal credential theft attack vectors, and the different defense strategies that can be deployed.

An overview into Windows Registry Forensics and how to leverage data for your investigations.

We get into technical details of the backdoor embedded in Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS.

In this second article, we will cover how attackers can use the compromised endpoint, outlining the steps of lateral movement and an EMS vulnerability that can lead to full organizational compromise.

This article reveals a critical vulnerability in Laravel applications due to exposed APP_KEY values, which can lead to remote code execution (RCE) via deserialization attacks

Presentation of a new project: an agent for C2 (Mythic) that has advanced post-exploit capabilities and evasion features. The agent is highly flexible, and most of its behavior can be configured at runtime using the Config command. It is implemented entirely as shellcode with mordern design, without relying on sRDI, making it easier to use during injection.

The scoop on CVE-2025-33073, how the Kerberos Reflection attack was uncovered, its impact on Active Directory, and lessons learned.

In this post, we’ll explore how PowerShell empowers security teams to harness the full potential of Entra ID CFIR (Cloud Forensic and Incident Response). From automating incident response workflows to identifying subtle signs of compromise, PowerShell scripts can transform complex logs and alerts into actionable intelligence.

We detail browser permissions, their type, the key mechanisms (API, policy headers, iFrame delegation), investigate common piutfalls and misconceptions and their related security risks.

In the third part of our series we demonstrate how risk intensifies in multi-modal AI agents, where hidden instructions embedded within innocuous-looking images or documents can trigger sensitive data exfiltration without any user interaction.

How can attackers exploit weaknesses in database-enabled AI agents? This last part of the series explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.

This blog series explores the critical vulnerabilities beneath AI Agents seemingly intelligent responses, offering a deep dive into hidden threats that demand urgent attention. This first part outlines key security risks like prompt injection and code execution.

In this writeup I try to explain the full exploitation process of CVE-2023-29336, a privilege escalation vulnerability on Win32k.

We explore the IKKO Activebuds airbuds, and discover multipel vulnerabilities allowing us to sideload applications, steal OpenAI API key, access AI chat history, steal user personal data and perform several injections.

Our research examines vulnerabilities that affect Large Language Model (LLM) powered agents with code execution, document upload, and internet access capabilities.

In this blog post, we will cover an overview of the Unified Logs and the challenges presented in using them during an investigation. Along with this blog post, we also released a tool called "macos-unifiedlogs" to help overcome some of the challenges in parsing log data, and to provide examples of how it can uncover vital information during an investigation.

This post details a technique to improve subdomain enumeration by including Empty Non-Terminals (ENT), an often-ignored DNS node and observing the NOERROR status code.