Security Review #272

Azure bastion can be used for persistence via shareable link, in case we only compromise the shareable link we can phish the user to gather the credentials and login (MFA not needed), and with several tokens we can hijack the session and extract the frames from the active session tunnel.

Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you'll see how to bypass cookie defenses using discrepancies in browser and server logic.

This blogpost describes our journey through discovering CVE-2024-28080, an authentication bypass vulnerability in Gitblit, "an open-source, pure Java stack for managing, viewing, and serving Git repositories".

We have seen multiple real-world cases where adversaries target and exploit coding agents, including pushing information up to GitHub. In this post, we will have one prompt injection payload that would operate across agents and exploit them accordingly, creating an AI-based virus.

In this first part of the series we cover some of the many security considerations when using GitHub Actions, with a focus on securing your CI/CD pipeline against adversaries with contributor access to your GitHub repository.

Technical deep-dive into CVE-2025-53149, a heap-based buffer overflow in the Windows Kernel Streaming WOW Thunk Service driver (ksthunk.sys).

In this article, we'll examine one of the misconfigurations (get-task-allow enabled) that allows code injection into an app and eventually bypass MacOS TCC (Transparency Consent and Control).

In this part, we explain how we increased coverage and applied different fuzzing strategies to identify more bugs.

DLL sideloading can be used for initial access in red team operations and avoid EDR detection. In this post, we review the concepts of DLL sideloading and proxying and walk through the whole process of finding the right DLL and backdooring it.

A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack. This article is a dive into Electron CVE-2025-55305, a practical example of backdooring applications by overwriting V8 heap snapshot files.

VSCode's ability to create remote tunnels has caught the attention of Red Team operators and security professionals alike. Here’s a simple breakdown of how this works, what it means for cybersecurity, and how it can be prevented.

We discovered an active ViewState deserialization attack (CVE-2025-53690) affecting Sitecore deployments. An attacker leveraged the exposed ASP.NET machine keys to perform remote code execution.

We discovered a method to exfiltrate sensitive data from a highly restricted GCP environment using a misconfigured Identity-Aware Proxy (IAP). By deploying an App Engine with a crafted app.yaml, an attacker can embed sensitive data within the configuration and retrieve it externally, bypassing traditional network egress mechanisms.

Some memory corruption bugs can involve race conditions, crash the system, and impose limitations that make a researcher's life difficult. In this article, I show how I exploited CVE-2024-50264, a race condition in AF_VSOCK sockets that happens between the connect() system call and a POSIX signals, resulting in a use-after-free (UAF).

IBM i administrators have long relied on exit programs as their primary safeguard against abuse of remote services like DDM and DRDA. We developed techniques to bypass improperly configured exit programs, allowing our payloads to reach the system even in environments where administrators believed they were protected.

This post will outline the exploitation steps for the ASIO64.sys driver that is known to have exploitable vulnerabilities and is included in the Windows driver blocklist.

Most modern operating systems have IPv6 enabled by default. This often leads to hidden vulnerabilities. Attackers can exploit the trust-based nature of IPv6 protocols to launch spoofing attacks within a local network, where an attacker impersonates a legitimate network node or inserts fake packets for the purpose of MITM or DNS spoofing within a local network.

In this article, we will be exploring the most common vulnerabilities to test for in web-based add-on/plugin ecosystems. We will see how to identify targets and review the vulnerabilities one can find in those plugins.

We uncovered a chilling attack that started with a single compromised email inbox and spiraled into a full-blown takeover of an organization's cloud infrastructure. The root cause is a rogue OAuth application and a series of clever moves by attackers who turned a phishing email into a master key for the victim's AWS environment.

We dissect the RapperBot botnet, a malware targeting several vulnerable NVRs (Network Video Recording) models, and provide a comprehensive breakdown from the point of infection to DDoS attack.

We provide technicam details of a supply chain attack leading to cedentials theft. The root cause was a GitHub Actions workflow injection vulnerability in the Nx repository. An attacker exploited this weakness to extract an npm publish token with rights to the affected packages, then used it to publish the malicious versions directly to the npm registry without altering the source repository.

In this last post of the series we will focus on network detections, validation, and operational reality of a telemetry-based detection for Lumma Stealer.

A vulnerability in Netskope Windows client makes it possible to escalate privileges by forcing the client into enrolling into a rogue Netskope server. This could be abused by a low-privileged, local user in order to escalate their privileges on the client host to that of the stAgentSvc service, which runs with SYSTEM privileges.

In this second part of the series dissect process-level behaviors and highlight relevant telemetry data for Lumma Stealer detection.

OracleIV is a DDoS botnet exploiting misconfigured Docker Engine APIs. It delivers a malicious Python ELF executable within a Docker container ("oracleiv_latest") to perform various DoS attacks. The botnet communicates with a C2 server for commands, demonstrating attackers' continued use of exposed Docker instances.

We discuss how to automate the generation of documentation and change log, using tools like Jinja for template-based conversion, Git for tracking changes to the repo and regular expressions to parse the output. We also set up pipelines for automated updates of the documentation, reducing manual effort and enhancing collaboration across teams.

A detailed technical analysis and research notes on the vulnerability in msdeployagentservice and msdeploy.axd endpoints of Microsoft Web Deploy, where unsafe deserialization of HTTP header contents allows an authenticated attacker to perform remote code execution (RCE) - CVE-2025-53772.

We detail an authenticated RCE (Remote Command Execution) vulnerability on OpenEdge (CVE-2025-7388) through command injection. Chained with an authentication bypass vulnerability (CVE-2024-1403) we obtain a full RCE.

Google Web Designer is vulnerable to client-side remote code execution on Windows. The vulnerability was enabled by an internal API exposed by CSS injection through a configuration file that can be packaged alongside ad documents, ultimately leading to command injection via the command line arguments for Google Chrome's executable chrome.exe.

In this post, we will see how it is possible to use CSS to steal attribute data without selectors and stylesheet imports. The technique leverages the CSS attr() function in combination with the "if" statement.

In this post, we uncover the threat of DNS tunneling, detail how attackers exploit DNS for data exfiltration & C2, and get strategies to detect & stop them.

In this post, we will detail 3 vulnerabilities we found in Sitecore Experience Platform. An HTML Cache Poisoning through Unsafe Reflections (CVE-2025-53693), a Remote Code Execution through Insecure Deserialization (CVE-2025-53691), and an Information Disclosure in ItemServices API (CVE-2025-53694).

API Connections allow anyone to fully compromise any other Connection worldwide, giving full access to the connected Backend. This includes cross-tenant compromise of Key Vaults and Azure SQL databases, as well as any other externally connected service, such as Jira or SalesForce.

Starting from a "compromised" EC2 instance with ReadOnly access to the AWS account, we discovered an attack path based on StartTask and RunTask permissions, and were able to escalate our initial privileges and access secrets.

This series is a telemetry-first breakdown for defenders who need high-fidelity signals for detecting Lumma Stealer. In this first part, we will walk through delivery vectors and telemetry chains.

Even the most secure apps often have tiny gadgets: small misconfigurations or minor bugs that, by themselves, don't create a lot of disruption for an application. However, by staying patient and chaining small gadgets together, you can eventually uncover critical, high-impact bugs.

The purpose of this blog is to illustrate some examples of data staging and exfiltration activity.

We found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.

We reverse and analyze Vidar, a fairly advanced and notorious infostealer capable and configurable. Once unpacked, we will go through the main stealer modules: Monero Wallet, FileZilla, WinSCP, Browsers Credentials, Google Account ID, Credit Cards, SQLite, Steam Tokens, etc.

Kerberoasting enables attackers extract service account credentials as a low privileged user without communicating with the server that hosts the attacked service. This article aims to document work around Kerberoast and be a point of reference for people interested into getting information around this attack vector within Active Directory.