Security Review #282

With attacks against Active Directory Certificate Services (ADCS) increasing, I want to show how certain vendor-required settings create real risk. Some products ask for certificate template permissions that amount to ESC1: Domain Users can request certificates that grant elevated privileges and pivot to Domain Admin in a few steps.

This technical deep dive explores how attackers and red teams can bypass Endpoint Detection and Response (EDR) systems using Intermediate Representation (IR) techniques, particularly LLVM IR.

This blog post contains what I wish every CISO, security lead, and AI team lead understood before they scoped their next AI security engagement. This guide exists because the current state of AI security testing is dangerously inadequate. The attack surface is massive. The risks are novel. The methodologies are immature. And the consequences of getting it wrong are catastrophic.

We detail "clobbering", a PowerShell-powered command hijacking technique. Combined with autoloading and dynamic modules in the global scope, clobbering allows using third-party modules to register commands that can conflict with, and take precedence over, those registered by the system.

We hack into a kid's drawing bot, unveiling the internal mechanisms and diverting its drawing capabilities.

In this article, we'll explore various methods by which JWTs can be vulnerable to allow for authentication bypasses and injection attacks, demonstrating the importance of testing such implementations and the effectiveness of following best practices.

In this part, we dissect forensic imaging, creating a perfect clone of a digital drive, a bit-for-bit copy of reality from preparation to integrity verification. We will clone a disk, verify its authenticity, and explore how to preserve digital truth down to the byte.

We will describe a pull request that we submitted to the BloodHound project in order to enumerate Site ACL attack paths, and how to exploit those paths in an efficient way with the tools that we recently released, related to GPO-based exploit vectors. Said compromise scenarios may allow attackers to elevate their privileges, as well as move laterally within an Active Directory forest.

We've identified severe RCE vulnerabilities in three extensions that were written, published, and promoted by Anthropic themselves - the Chrome, iMessage, and Apple Notes connectors, and are sitting at the very top of Claude Desktop's extension marketplace .

We give an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. We also provide mitigation technique, detection tips as well as key indicators.

A critical SQL injection vulnerability (CVE-2025-64459) has been disclosed in Django. Attackers can manipulate database query logic by injecting internal query parameters when applications pass user-controlled input directly into filter(), exclude(), or get() calls. This can lead to unauthorized data access, authentication bypass or privilege escalation.

We detail CVE-2025-34299, a vulnerability in Monsta FTP server enabling an attacker to write arbitrary files on the server. This can lead to pre-authenticated remote code execution.

We dissect the new DigitStealer malware, a sophisticated macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data.

I discovered a critical HTTP request smuggling vulnerability in ASP.NET Core’s Kestrel server (CVE-2025-55315) that was assigned a CVSS score of 9.9. This post walks through the vulnerability, how I found it, and discusses the severity rating.

We analyzed DragonForce, a Conti-derived ransomware-as-a-service that employs BYOVD (bring your own vulnerable driver) attacks by using truesight.sys and rentdrv2.sys drivers to terminate processes.

In this article, we will cover what DOM-based cross-site scripting (XSS) vulnerabilities are, their potential impact, and how to identify and exploit them in modern applications effectively.

In this article, we'll be discussing 2 vulnerabilities in Citrix NetScaler we stumbled into: a memory leak and a reflected XSS (assigned CVE-2025-12101).

We observed a concerning trend - threat actors using Python scripts to exploit Microsoft 365 environments. This blog explains how attackers are leveraging native Microsoft Graph functions to harvest emails, why this approach is so hard to detect, and the indicators analysts can use to spot it.

We uncover new tools and techniques used by the Curly COMrades threat actor. They established covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on compromised Windows 10 machines to create a hidden remote operating environment.

We investigate Gootloader, a sophisticated JavaScript-based malware loader that threat actors commonly use to gain initial access. It uses heavily obfuscated JavaScript payloads to facilitate additional payload delivery.

We will explore the path from firmware extraction and analysis to the discovery of a previously unknown vulnerability and its exploitation. Follow along as we build an ARM ROP chain to bypass ASLR without an address leak, and achieve unauthenticated RCE.

A dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator. This orchestrator pulls additional scripts encoded in b64 from the C2, and runs them in detached screen sessions in the background. Its scope is exfiltrating wallet-related files, collecting telemetry, and replacing legit Ledger/Trezor applications with tampered copies.

I found a path-traversal bug in Signal Desktop's attachment save feature. The app uses the attachment's fileName from the message without cleaning or checking it. Because of this, an attacker can craft a filename that points outside the user's chosen folder. This lets an attacker drop files where the system or user will run them later, which can lead to remote code execution.

In this first part, we'll unpack the differences between cold and live system forensics, discuss the legal headaches that come with chain of custody, touch on data acquisition techniques, and face the haunting challenge of data volatility, because, in this game, evidence fades faster than trust.

Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android's image processing library. The spyware was embedded in malicious DNG files and enables comprehensive surveillance, including microphone recording, location tracking and collection of photos, contacts and call logs.

Patch bypass for CVE-2025-53773 on Windows via uppercased file path, enabling autonomous tool execution and bypassing the approval requirement.

This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. The bugs can be triggered by an attacker controlling a local unprivileged process. Their security implications were confirmed via a proof of concept that achieves kernel read and write primitives.

We discovered CVE-2025-11953, a vulnerability in React that allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli's development server, posing a significant risk to developers.

This blog analyzes a Kimsuky sample, how the dropper downloads additional stages, and network traffic observed within the infection chain.

I identified a Remote code execution vulnerability (CVE-2025-63601) in Snipe-IT's backup restore feature, rooted in unsafe file extraction logic.

We investigate a few additional and neglected smuggling techniques.

Etherhiding is a technique used by malicious actors to distribute malware by leveraging public blockchain capabilities. In this post, we will implement a simple demo of Etherhiding.

In this post I'll walk you through a bunch of common RCE pathways. We'll review command injections, unsafe code evaluation, SSTI, insecure deserialization, JNDI, file uploads, LFI and RFI, parser exploits and containers to host escape. I'll explain how they work and how to detect them in the wild.

This article will dive into COM/DCOM and how to automate vulnerability research..We will first describe how COM/DCOM works and how security research can be automated using the fuzzing approach.

We investigate CVE-2025-32463, a sudo privilege escalation vulnerability. It relies on untrusted code loaded and executed as root when using the --chroot option in sudo, then abuses the Name Service Switch functionality to load a malicious library crafted by the attacker.

In this article, we review what SSTI (Server Side Template Injection) attacks are, how to identify them and how they ca be exploited. We illustrate by chaining SSTI to RCE in a Flask based web application using Jinja2 template engine.

It's possible to install arbitrary apps in a provisioned Work Profile on a BYOD device with ADB and Android Studio. Due to a auto-install requirement in the Work Profile, which can be enforced via Intune, it is possible to convince the Play Store service (Finsky) to install an arbitrary app, with the same package name and a higher version number than the managed legit application

In this post, we will explore how seemingly innocuous leniencies in the parsing of chunked message bodies, particularly in line terminators, can result in request smuggling vulnerabilities in widely-used servers and proxies. I will share new exploitation techniques and payloads, methods for black-box detection, and a few recent vulnerabilities found in well-known HTTP implementations.

NTLM relay attacks are the easiest way for an attacker to compromise domain-joined hosts. With most environments vulnerable, NTLM sets the stage for lateral movement and privilege escalation. Here’s an introduction to how these attacks work, what they can target, and how to defend against them.

We first dive deep in the WOW64 (Windows on Windows) system, then assess two hooking techniques and their effectiveness. I will cover how this system works, the ways malware abuses it, and detail a mechanism by which all WoW syscalls can be hooked from userspace.