Security Review #273

In this article, I will demonstrate a new technique for creating persistence. Instead of hiding it from scans and viewers, I will show how these persistence methods can point to non-existent executable files while still ensuring that the necessary files run each time they are activated.

Hardcoded constants in offensive tools become detection signatures. Static strings that seem harmless during development persist in logs, network traffic, and file systems, creating reliable indicators for defensive teams. This analysis examines specific examples from commonly used tools and outlines a review methodology to identify these issues before operational use.

In this blog post we will examine multiple interesting exploit chains that we identified in an exemplary application, highlighting the risks resulting from the combination of sensitive data exposure and excessive agency. The target application is an AI email client, which adds a ChatGPT-like assistant to your Google Mail account.

In this article, I will demonstrate the technique of breaking into the protected folder that contains the executable files of Windows Defender. From there, we can manipulate Defender at will, such as side-loading DLLs, destroying executable files to prevent the service from running, and more. This technique will be carried out using only the tools available on Windows.

I'm going to share with you an interesting race condition issue lurking in Apple's core file-copy API.

An in-depth exploration of the Linux POSIX CPU Timer Subsystem, including patch analysis and vulnerability insights for Android Kernel CVE-2025-38352.

We provide technical details on 2 vulnerabilities in Apache projects: a Server-Side Request Forgery in Apache Pony Mail Foal and a Remote Code Execution on whimsy.apache.org.

A little Guide to help you understand Caido and see if you want to give it a try.

Password-spray detection typically involves correlating bad password attempts based on time. This detection method is fraught with false positives since standard users mistype and/or forget their passwords regularly. This article describes how to detect password-spraying without false positives by leveraging a honeypot account.

Abusing ruby class pollution via a new method called rotate chains to get SQLI and then exploiting a 1-gadget ruby deserialization gadget to get RCE.

Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution (CVE-2025-57819).

This article explains what cookies are, the different types, how they work, and why websites need to warn you about them. We'll also dive into sensitive cookies that hold the Session ID, the types of attacks that target them, and ways for both developers and users to protect themselves.

K7RKScan.sys exposes a process termination IOCTL to user-mode without sufficient caller or target validation. This flaw enables attackers to terminate arbitrary processes from kernel mode, bypassing user-mode protections that legitimate security tools rely on.

When weak ACLs in on-prem Active Directory are combined with attribute based rules in Entra ID, an attacker can abuse synchronization to escalate privileges in ways that are often overlooked. This hybrid attack path is less visible in the public domain but just as critical.

Microsoft Exchange inbox rules have emerged as a critical attack vector to establish persistence and facilitate data exfiltration within enterprise environments. We introduce Inboxfuscation, a sophisticated Unicode-based obfuscation technique that is able to create malicious inbox rules that evade detection by traditional security monitoring systems.

In this blog post we provide a root cause analysis of CVE-2025-43300, an out-of-bounds write, addressed with improved bounds checking in the ImageIO framework.

This is a comprehensive tutorial on CVE-2025-43300, a critical memory corruption vulnerability in Apple's image processing framework. This zero-click vulnerability affects iOS and macOS systems, allowing potential remote code execution through specially crafted DNG (Digital Negative) image files.

We detail CVE-2025-24132, a stack buffer overflow vulnerability within the AirPlay protocol that is exposed when a device connects to the car's multimedia system.

While doing patch analysis, I realised that Microsoft made a mistake leading to a kernel address leak vulnerability (CVE-2025-53136). This new bug requires winning a race condition to get a powerful kernel address leak for any token handle, which can be easily chained with other vulnerabilities to obtain a complete exploit on the latest version of the system.

In Azure, users and administrators can grant OAuth applications access to resources managed by or protected by Microsoft Entra ID. If a user is ever tricked into authorizing a malicious app however, adversaries could maintain that access even if the user's password is changed. We break down how these attacks work in the real world and what you can do to stop them.

We have identified a new threat actor targeting Windows servers. GhostRedirector has an arsenal that includes the passive C++ backdoor Rungan, the malicious IIS trojan Gamshen, and a variety of other utilities.

On this post, we detail a new technique we have discovered that allows an authenticated user in ArgoCD to steal the powerful GitHub credentials, further compromising Git accounts and more.

ToolShell refers to multiple vulnerabilities on self-hosted SharePoint Server, enabling unauthenticated remote code execution and security bypasses. This blog details exploitation patterns that include remote code injection, spoofing, and deserialization-based compromise.

Filtering in Wireshark is essential, especially in very large network environments, to get a better picture of traffic coming from key and suspicious hosts on a network. Doing this will help you to diagnose problems and see potential misuse or abuse of the network bandwidth. There are two types of filtering in Wireshark: capture filtering and display filtering. This post will detail both types of filtering.

We provide guidelines to improve detection rule management and traceability with versioning in Detection-as-Code, ensuring strong cybersecurity practices.

This is the first post in a series about my deep-dive into the AFD.sys driver on Windows 11. The goal is to open a TCP socket to any host on the LAN using nothing but I/O requests aimed at \Device\Afd. Instead of the usual Winsock calls we're going to slam everything through NtDeviceIoControlFile, hand-crafting the IRPs the AFD driver expects.

I developed a Java deserialization gadget that only relies on the Espresso JDK itself. Because the construction of this gadget is very similar to the ROP (Return Oriented Programming) attack used in binary exploitation, I call it ROP-like Deserialization.

In this part, we will receive data in our socket through a hands-on foray into the IOCTL_AFD_RECEIVE Fast-I/O path: stalking AfdFastConnectionReceive in WinDbg, decoding the AFD_SENDRECV_INFO / WSABUF triad, flipping TDI flags for peek-and-poke tricks, and slurping raw TCP responses straight out of AFD.sys--zero Winsock, pure kernel-level packet sorcery.

In this third part, we will deep-dive into the IOCTL_AFD_SEND Fast-I/O path: snaring AfdFastIoDeviceControl hits in WinDbg, reverse-engineering the AFD_SEND_INFO / WSABUF chain, and blasting raw TCP payloads straight from user space on Windows 11.

I detail how to bypass TLS certificate validation on Linux using LD_PRELOAD for security research and debugging of embedded systems and native applications.

Google Drive Desktop suffers from a broken access control vulnerability that lets any logged-in user on a machine gain full access to another user’s Drive contents - including My Drive and Shared Drives - without permission.

In this part we will look at the bind and connect operations. Although normally when we use Winsock we don't need to perform the bind, underneath mswsock.dll actually performs this bind for us, so it will be crucial for us to understand how we can establish a TCP handshake.

This blog post describes a vulnerability that would allow an attacker to man-in-the-middle TLS connections on the Nintendo Switch. A successful attack would allow the attacker to view traffic that would otherwise be encrypted, and to impersonate a server. The vulnerability is limited to...