Security Review #268

In this blog post, I'll introduce ToolShell, an exploit chain that enables an unauthenticated attacker to achieve remote code execution (RCE) on a target SharePoint server with only one request.

We detail a novel technique for SQL Injection in PDO's Prepared Statements. The technique relies on using null bytes (\0) and bound parameter markers (?) in user-controlled areas to trick the PDO SQL parser.

Clearing up common misconceptions about the Kerberos Diamond Ticket we'll see how to apply the idea securely to both Ticket Granting Tickets and Service Tickets, creating forgeries that blend in more effectively with legitimate Kerberos traffic. The result is a stealthier alternative to traditional Silver Tickets and a more convincing method that raises the bar for Kerberos forgeries.

In this paper, I'll show how a simple misalignment in expectations between front-end and back-end servers can be quietly exploited to build an undetectable channel. And once we're in, we'll turn this into a functioning C2 channel that rides through even the most hardened infrastructure.

NTLM relay attacks on SMB restrict lateral movement to port 445/TCP capabilities. We can leverage the Service Control Manager (SCM) remotely to initiate the Webclient service, allowing integration with computer account takeover methods such as shadow credentials and enhancing attack flexibility through the LDAP service targeting domain controllers (DCs).

We identified a local privilege escalation vulnerability in Citrix Virtual Apps and Desktops which would allow an attacker with control of a low-privileged user within a virtual desktop to reliably escalate privileges to SYSTEM (CVE-2025-6759).

This blog reveals a novel attack path in Microsoft Entra ID (formerly Azure AD) that leverages a little-known Azure VM feature to escalate privileges from guest access to full Entra admin. By combining device identity abuse with phishing techniques to steal Primary Refresh Tokens (PRTs), attackers can bypass traditional security controls and perform stealthy lateral movement.

A technical exploration of Local Privilege Escalation Vulnerability in ControlPlane on macOS.

This article discusses the technical details of CVE-2024-24916, a DLL hijacking issue in Check Point's SmartConsole.

We noticed a subtle but important issue in Microsoft AppLocker: the MaximumFileVersion field was set to 65355 instead of the expected 65535. This small discrepancy could allow certain files to bypass restrictions.

This article reveals a new attack against delegated Managed Service Accounts called the Golden DMSA attack. The technique allows attackers to bypass the intended machine-managed authentication and generate passwords for all associated dMSAs offline.

We detail how an unsafe eval() call in the target server process endpoint allowed dynamic backend routing based entirely on user input. This post explores the steps that led to a successful RCE exploit, ultimately resulting in arbitrary command execution on the server.

In this blog, we detail how typing a single space in ETQ Reliance's login screen allows full access to the SYSTEM account (CVE-2025-34143), as well as some other bugs we found along the way: Cross-Site Scripting in SQLConverterServlet (CVE-2025-34141), XML External Entity (XXE) Injection in SSO SAML Handler (CVE-2025-34142) and Authentication Bypass (CVE-2025-34140).

When conducting a digital forensic investigation on macOS systems, understanding where to find critical artifacts and how to extract meaningful data is crucial. This post highlights the most vital macOS forensic artifacts and the terminal commands you can use to gather evidence during incident response or threat hunting.

A vulnerability (CVE-2024-7401) was discovered in Netskope's product that could allow an unauthenticated threat actor to obtain an account's configuration file. By manipulating and importing this file into any Netskope client, the attacker could impersonate the user associated with that account.

We detail CVE-2025–53770, a critical vulnerability in the ToolPane.aspx component of on-premises Microsoft SharePoint Servers. This vulnerability can allow an unauthenticated attacker to achieve unauthenticated remote code execution (RCE) through improper filtering of HTTP request headers.

This technical blog post dives deep into CVE-2025-1244, a critical vulnerability in Emacs (up to version 29.4) that allowed remote code execution (RCE) through its built-in URL handler.

IPv6 security has recently become a pressing issue. In this article, I will discuss attacks on IPv6 and methods of protection.

In this fourth part, we will see how to locate and execute memcpy so we can transfer the shellcode off the stack to the region of memory we’ve previously allocated.

We explain how it is possible, once you got "OneDrive Admin"-equivalent permissions on a cloud-native estate, to escalate to a Privileged Entra role by backdooring the administrator's PowerShell Profile.

A technical deep dive into CVE-2025-29824, an use-after-free bug in the Windows Common Log File System (CLFS) driver.

I demonstrate how multiple PICOs can be loaded into memory by a reflective loader; configured to accept parameters and return data; and how to dynamically patch data into them at link-time. Such an architecture can be extended to build a modular C2 agent.

We detail how to use a custom phishlet for Okta and Azure to capture sessions, credentials, and register a new MFA device in a single operation, all while bypassing IdP protections and MFA mechanisms.

This detailed technical analysis breaks down a zero-day vulnerability (CVE-2025-6554) affecting Chrome's V8 JavaScript engine and leading to arbitrary code execution. It relies on the lack of proper check upon a special internal placeholder value called hole, used by V8 to represent uninitialized variables, that can be leveraged to construct a read/write primitive.

I'll explain a niche technique to exploit a type of self-XSS - where you can somehow log the victim into your account, but the XSS is on a different path, and you can’t redirect the victim to it directly.

A decade-old flaw (CVE-2016–2296) in Meteocontrol WEB’log controllers still lets anyone on the Internet pull a hidden configuration page, steal the admin password, and remotely rewrite power-plant settings.

We have analyzed a new variant of the Coyote malware that is the first confirmed case of maliciously using Microsoft's UI Automation (UIA) framework in the wild.

This post is about obfuscating outbound traffic when inline firewalls (IPS - Intrusion Prevention Systems) are in an allowlist mode, i.e. denying everything unless it's explicitly allowed.

This blog post sums up our security analysis of Laravel, an open-source web framework based on PHP, from identifying vulnerabilities related to Laravel encryption to scaling this knowledge for a massive internet facing applications compromise.

One of the most valuable artifacts for forensics is UserAssist. It contains useful execution information that helps us determine and track adversarial activities, and reveal malware samples. This article provides an in-depth analysis of the UserAssist artifact, clarifying any ambiguity in its data representation.

This article details a set of vulnerabilities we discovered in the Windows implementation of VMware Guest Authentication Service, also known as the VMware Alias Manager and Ticket Service, or simply VGAuth: CVE-2025-22230 (authentication bypass) and CVE-2025-22247 (path traversal + insecure link resolution).

AWS Managed Active Directory suffers from the same issues and vulnerabilities that on-prem AD environments have, including its default configurations. One of these defaults configurations is the ms-ds-MachineAccountQuota attribute. This blog will give an overview of how this default attribute, which cannot be modified by AWS, can lead to the compromise of your own AD environment.

We explore several techniques for retrieving the current instruction pointer (RIP) in position-independent code (PIC), and introduce a newer method leveraging SYSCALL switches from user mode to kernel mode and back, RCX ends up holding the caller's RIP after the call.

Technical analysis of how a phishing attack led to NPM package compromise and malware deployment, plus a look at npm's authentication implementation.

CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. In this first part, we will explore how we discovered the vulnerability and exploited it using a page-level data-only attack.

We analyze CastleLoader, a malware that uses ClickFix social engineering combined with fake GitHub repositories to trick users into running malicious PowerShell scripts.

We present the concept and design of real-time monitoring for events for Beacon Object Files, which allow operators to roll out a network of sensors and stream events to the C2 server for further processing.

In this blog, we will explore the fundamentals of DNS queries, illustrating how they typically function and how this essential process can be exploited for C2 operations and data exfiltration. We will also dive into the various families of DNS tunneling, shedding light on the techniques attackers use to bypass traditional defenses.

This article provides a short list of techniques used in MalDev that have been obsolete for some time now or just applied wrongly. We will review these techniques and provide actual way to use and test them against automated detection systems such as AV and EDR.

In this third part we will work on bypassing DEP, still enabled at the hardware level and preventing virtualalloc to make the stack executable. We will use ROP (Return Oriented Programming) to find the address for virtualalloc and assign RWX to a memory region under our control.

In this post, I'll share my journey of discovering CVE-2023-52927. I start by analyzing an obsoleted syzkaller report, than perform root cause analysis, craft a proof-of-concept (PoC) to trigger the KASAN report, and develop a stable exploit for local privilege escalation.

We demonstrate a prompt-injection vulnerability in Google Gemini for Workspace that allows a threat-actor to hide malicious instructions inside an email. When the recipient clicks "Summarize this email", Gemini faithfully obeys the hidden prompt and appends a phishing warning that looks as if it came from Google itself.

We provide a technical analysis of TransferLoader, a new malware family with sophisticated anti-analysis techniques that deploys embedded payloads that include a downloader, backdoor, and ransomware.

We identified three particularly prevalent macOS infostealers in the wild, which we will explore in depth: Poseidon, Atomic and Cthulhu. We’ll show how they operate and how we detect their malicious activity.

On Windows, depending on how the system is configured, historical clipboard data may be stored on the system for analysis. This blog post explores three methods to forensically examine clipboard data - the first method being an artefact on disk, the second through forensic examination of RAM and the third being a folder that's resident on disk which stores data.