Security Review #269

Retbleed CPU vulnerability involves speculative execution, where CPUs predict and execute instructions before confirming the validity of the prediction, which leaks data from an address selected by the attacker. In this post, we're sharing details of exploiting Retbleed in a realistic, well-secured setting.

We detail a lateral movement technique that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI), to hijack specific COM objects of BitLocker. The purpose is to execute code under the context of the interactive user on a target host.

This article introduces several novel classes of HTTP desynchronization attack capable of mass compromise of user credentials. These techniques are demonstrated through detailed case studies, including critical vulnerabilities which exposed tens of millions of websites by subverting core infrastructure.

In this post, we will design and implement a prompt injection exploit targeting GitHub's Copilot Agent, with a focus on maximizing reliability and minimizing the odds of detection.

This article demonstrates how attackers can chain CVE-2024-4577 with DNS rebinding to achieve remote code execution on internal network infrastructure directly through the victim's web browser.

OpenHands is vulnerable to prompt injection and can be hijacked by untrusted data, e.g. from a website. That impacts Confidentiality, Integrity, and Availability of the system.

In this first part, we discuss the architecture of web conferencing applications, with a specific focus on Zoom's architecture to support web conferencing at a massive global scale.

This technical deep dive explores vulnerabilities in Dell's ControlVault3 (CV3), a hardware-based security solution embedded in many Dell laptops. We uncover how CV3 can be exploited due to architectural weaknesses, and detail 5 vulnerabilities affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling "ReVault".

Hells Hollow is a new SSDT-style hooking technique leveraging Windows 11 Alt Syscalls. Whilst in this post we focus on ETW, it can be used in any number of creative ways, essentially a SSDT bypass for rootkits that Microsoft managed to defeat via PatchGuard, for Windows 11.

We detail a persistence technique that uses Linux namespaces especially PID namespaces to create isolated environments like lightweight containers. By using the unshare a process can separate itself from shared system resources and run independently. This means any malware running outside the container stays hidden from the normal OS view inside the container.

We examine the technical details of a vulnerability in Data Flow Graph (DFG) compiler of WebKit (CVE-2024-44308) and walk through exploiting it. We cover some concepts, show the root cause, and demonstrate how to achieve stable object corruption and ultimately gain arbitrary read/write.

Hidden in Devin's capabilities is a tool that can open any local port to the public Internet. That means, with the right indirect prompt injection nudge, Devin can be tricked into publishing sensitive files or services for anyone to access.

Cursor is a popular AI code editor. In this post I want to share how I found an interesting data exfiltration issue (CVE-2025-54132), the demo exploits built and how it got fixed.

We investigate 5 vulnerabilities in Veeam: Authentication Bypass (CVE-2024-29849), Remote Code Execution (CVE-2024-42024), NTLM Relay to Account Takeover (CVE-2024-29850), Local Privilege Escalation (CVE-2024-29853) and Broken Access Control & IDORs (CVE-2024-29852).

We discovered a chain of critical vulnerabilities (CVE-2025-23319) in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).

I discovered 2 flaws in Claude Code: path restriction bypass (CVE-2025-54794) and command injection (CVE-2025-54795), turning AI inward with inverse prompting. These issues allowed me to escape its intended restrictions and execute unauthorized actions, all with Claude's own help.

Cursor is a developer-focused AI IDE that combines local code editing with large language model (LLM) and MCP tools integration. We demonstrate that once approved, an MCP tool can be seamlessly replaced by a malicious code that will be executed everytime a project is opened.

I found two remotely accessible memory corruption bugs (CVE-2025-23310 and CVE-2025-23311) in NVIDIA's Triton Inference Server during a routine onboarding practice. The bugs result from the way HTTP requests are handled by a number of the API routes, including the inference endpoint.

We detail how CVE-2025-29891 impacts Apache Camel via CAmelExecCommandArgs header injection, how attackers exploit this misconfiguration for remote code execution, and how to secure your systems.

The core of CVE-2025-54309, an RCE in CrushFTP, is a breakdown in security checks within CrushFTP's DMZ proxy. In this article, we provide technical details on the vulnerability and its exploitation.

In this post we demonstrate how a bypass in OpenAI's "safe URL" rendering feature allows ChatGPT to send personal information to a third-party server. This can be exploited by an adversary via a prompt injection via untrusted data.

In this last article of the series we will detail how we can actually bypass ASLR protection and run our exploit.

We detail 3 vulnerabilities in Adobe Experience Manager Forms: an insecure deserialization vulnerability leading to command execution (CVE-2025-49533), an RCE via Struts DevMode (CVE-2025-54253) and an XXE (CVE-2025-54254).

DarkCloud Stealer's delivery has shifted. We explore three different attack chains that use ConfuserEx obfuscation and a final payload in Visual Basic 6.

In this blogpost, we present a vulnerability that allowed us to bypass Zscaler's posture verification mechanism. We detail the configuration of the Zscaler client, the weaknesses in its posture check implementation, and how we leveraged them to access internal networks without satisfying the required security conditions.

A CSRF vulnerability in Elgato Key Lights let websites flash your lights remotely. Here's how CVE-2025-7202 was discovered and fixed.

In this second part, we will discuss the approach we developed to support tunneling traffic through Zoom and Microsoft Teams using the TURN protocol.

Amazon Managed Workflows for Apache Airflow (MWAA) is a managed service to run Apache Airflow on AWS without managing infrastructure. However, most installations are affected by CVE-2024-39877, an SSTI vulnerability which allows remote code execution.

The File System API is a browser API that allows web apps to do some local file system operations such as direct file editing, saving, and directory access. In this article, we will detail FileJacking, a malware initial access technique that relies on the File System API to backdoor files, and read / write folders directly from the browser without downloads.

Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation and bypassing conditional access policies. By leveraging this access, they can retrieve Intune-issued MDM and PKCS certificates, potentially compromising on-premises domains and sensitive credentials.

In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. We'll break the validation process into several smaller scripts and pipelines that you can refer to when building your own validation workflows.

In this article, we explain how to create a ZIP slip attack (path traversal) by leveraging the schizophrenic ZIP technique.

This blog walks you through using our script to audit a Salesforce environment, uncovering excessive permissions and platform-specific risks like SOQL injection.

We detail a zero-click data exfiltration exploit in OpenHands, formerly referred to as OpenDevin, that uses agent to render images in chat.

In this post we show how an attacker can make Devin send sensitive information to third-party servers, via multiple means.

In this first part of the series, we will learn the basics of RPC and will get one step closer to developing programs using Impacket.

Through a series of logic flaws, we demonstrate how to achieve RCE on a CyberArk Conjur deployment using the default AWS integration setup. It requires no credentials, no tokens, not even a real AWS account. Just a carefully crafted series of requests that moved from zero access to full control, all by exploiting default behavior.

This blog uncovers a unique, stealthy approach used by a threat actor group to compromise critical banking infrastructure. It reveals a previously undocumented anti-forensics technique (now recognized in MITRE ATT&CK), backdoor presence invisible to process listings, and a rare instance of physical network compromise using embedded hardware.

This article shows how to use GDB over a serial connection for debugging the kernel on a Pixel 8. The instructions cover building and flashing a custom Pixel 8 kernel to enable KGDB, breaking into KGDB either via ADB by relying on /proc/sysrq-trigger or purely over a serial connection by sending the SysRq-G sequence, and attaching GDB to the Pixel 8 kernel.

We conducted a comprehensive assessment of HashiCorp Vault, and identified nine previously unknown zero-day vulnerabilities. We uncovered bypass lockouts, evade policy checks, enable impersonation, root-level privilege escalation, and remote code execution (RCE), enabling an attacker to execute a full-blown system takeover.

We uncovered a new critical misconfiguration that exposed sensitive data at internal Microsoft applications, providing access to over 22 internal Microsoft services.

In this post, we'll explore why internal logging and monitoring platforms represent prime targets, discuss effective techniques for identifying sensitive data within them, and demonstrate how our team has leveraged these platforms to achieve comprehensive domain compromise.

We spotted intriguing new antivirus (AV) killer software that abuses the ThrottleStop.sys driver, delivered together with the malware, to terminate numerous antivirus processes and lower the system’s defenses as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver).

In this blog, we outline the latest updates to Raspberry Robin, including improved obfuscation methods, a shift from AES-CTR to ChaCha-20 for network encryption, a new local privilege escalation exploit (CVE-2024-38196), and the use of invalid TOR onion domains to complicate the process of extracting Indicators of Compromise (IOCs).

In modern Microsoft 365 ecosystems, SharePoint Online is no longer just a file repository, it's a sprawling attack surface. This post explores a step-by-step attack scenario based on the SharePoint Online Attack Matrix and walks you through actionable red tactics.

Sandbox-escape-style attacks can happen when an AI is able to modify its own configuration settings, such as by writing to configuration files. In this article, I demonstrate this type of attack against Amp, an agentic coding tool built by Sourcegraph.

Technical analysis of SoupDealer, a malware that bypassed every public sandbox and AV aside from Threat.Zone, and also evaded EDR/XDR in real-world incidents.

I detail how I managed to execute a full, BootROM-level code execution attack on the Qualcomm boot chain, following the sequence BootROM (PBL) - SBL1 - Trustzone & Aboot - Kernel - Android, patching TrustZone and the Kernel, and ultimately gaining root access post-boot.

In hybrid environments I have observed certificate settings in Intune being misconfigured in a way that would allow regular users to perform ESC1 over Intune certificates. This blog explores the scenarios where this is possible and provides exploitation and remediation guidance.

In this post, we show how a prompt injection payload hosted on a website leads to a full compromise of Devin AI’s DevBox.

ChatGPT Codex is a cloud-based software engineering agent that answers codebase questions, executes code, and drafts pull requests. This post will demonstrate how Codex is vulnerable to prompt injection, and how the use of the "Common Dependencies Allowlist" for Internet access enables an attacker to recruit ChatGPT Codex into a malware botnet.

To showcase some different ways to craft exploits for vulnerabilities over MS-RPC, this post will cover three ways on how to make a working exploit for the same vulnerability. We will go over PowerShell, .NET (executable) and Python for remote exploits.

In their core, LNK files are files with a set of instructions for the OS to execute: where the shortcut icon is stored, where the actual program executable is located, if there are any arguments to pass on etc. Although created for benign use and UX ease, those features can be abused.

In this second part, we will cover some basic elements of designing a repository to develop, store, and deploy detections from. We’ll go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs.

In this article, we detail how to leverage Active Directory Web Services (ADWS) SOAP API to collect information stored in LDAP.

In this first part of the series, we are going through the basic terminology and concepts of a Detection-as-Code approach in Detection Engineering.

In this blog post, we will demonstrate how to use the kernel pool to our advantage to achieve arbitrary read/write against a vulnerable Windows 11 24h2 driver.

The majority of SS7 bypass attacks involve the TCAP layer, which is part of the SS7 protocol stack. This layer has turned into an attractive area for attackers to exploit due to its history, nature and specifically. In this article we detail a variant of these TCAP manipulation structures, which fits into this trend of exploitation by the attackers.

We detail a vulnerability in Python's standard library, CVE-2024-12718, allows attackers to modify file metadata or file permissions outside the intended extraction directory.

We delve into snapshot fuzzing, a technique for enhancing application security testing on Linux, offering significant advantages in testing efficiency and depth, especially for complex and stateful applications. By enabling the rapid restoration of system states, snapshot fuzzing allows for extensive exploration of program behavior and the discovery of vulnerabilities.

In this second part, we will learn some more fundamentals of the Entra sync engine and how the rules work to understand how, given access to a sync account in Domain A, we can add credentials to a user in another domain within the same Entra tenant.

This is the first part of a series regarding attacker tradecraft around the syncing mechanics between Active Directory and Entra. In this blog, we demonstrate how complete control of an Entra user is equal to compromise of the on-premises user.

Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials; however, attackers can still take advantage of an Entra Connect sync account compromise and gain new opportunities that arise from the changes.