Security Review #283

We discovered two vulnerabilities in the widely used elliptic JavaScript library. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified, respectively.

Vectored Exception Handlers (VEH) have been used in malware for over a decade, but now they're gaining attention from the offensive security industry. In this post, we'll look at how to manually manipulate the Windows Vectored Exception Handler list, and how Vectored Exception Handlers can be used to evade defenses and perform process injection.

We show how we revealed Sora 2's system prompt by experimenting across multiple modalities, including text-to-image, ASCII and glyph renderings, video, audio captions, and transcripts.

I'm tracking vendors whose docs lead to ESC3-style templates, which can put the whole environment at risk as well. I’m also flagging cases where vendors tell you to give Domain Users or Authenticated Users write rights on a template, which sets up ESC4: instead of abusing a bad template, you turn a good one into a vulnerable one.

I explore methods to further hide malicious scripts and reduce the chance of detection. Using the -r flag in osacompile, we can inject compiled scripts into the com.apple.ResourceFork extended attribute of the output file. The file functions as normal while still enabling the script to be executed with osascript.

We explain how attackers can achieve persistence in Google Cloud Platform (GCP) by leveraging Pub/Sub and Cloud Functions to identify the deletion of a malicious service account and automatically recreate it.

We uncover RONINGLOADER, a multi-stage loader deploying DragonBreath's updated gh0st RAT variant. The campaign weaponizes signed drivers, thread-pool injection, and PPL abuse to disable Defender and evade Chinese EDR tools.

In this blog we will first explore what Microsoft says about privileged roles in Entra, and why it wasn't enough for us. We will then Pintroduce the Entra Privileged Tier Model, and unpack the model a bit to explain how to use it to protect accounts with these roles and why we made some of the choices we did.

In this second installment of the Realm Files, we will move into the physical structure of a Realm Database and discuss how it is conceptually laid on disk.

We go through 2 vulnerabilities in FortiWeb - a path traversal and an authentication bypass - leading to a complete compromise of the vulnerable appliance.

I found 2 sanitizers bypass vulnerabilities in Gemini: one in the markdown sanitizer and another in the Colab export sanitizer. They can be used as an exfiltration vectors affecting any user who lets Gemini interact with untrusted or poisoned data.

We review how we can still obtain valuable forensic insights from encrypted Proton Drive. Timestamps, structural hierarchy, share indicators, access counts, and cryptographic metadata can all be used to reconstruct user activity, understand folder relationships, and assess what was stored, even if the plaintext filenames remain protected.

Constrained delegation offers improvements in limiting risk compared to its dangerous unconstrained counterpart. In this second part we see how an attacker can still escalate and pivot to other resources if a resource configured with constrained delegation is compromised, even if the process can be more complex and limited.

There is still a dearth of information about SPTM, TXM and Exclaves, the modern iOS security features. This post aims to broaden the discussion and fill in the full picture of SPTM.

In this post we detail how some of the memory analysis tools available in Velociraptor can be combined to write some very sophisticated detections for memory patching attacks.

We analyzed Garmin Connect Mobile Android app after GPS failures in a sports watch and discovered that two exported content providers (SSOProvider and DevicesProvider) had insecure configurations. SSOProvider exposes user profile, and DevicesProvider is vulnerable to SQL injection due to unsanitized string concatenation in queries.

In this blog, we present an analysis of the updated steganographic loader, including one of its payloads: the Lokibot malware. The blog will also highlight the extracted MITRE ATT&CK tactics, techniques, and procedures (TTPs) to support detection development and testing efforts aimed at identifying threats of this nature.

This blog details how we discovered a pre-authentication RCE vulnerability in Oracle Identity Manager (CVE-2025-61757). This pre-authentication RCE would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM.

We step in the shoed of an attacker, who is an insider and wants to get SYSTEM access. So we’re going to unlock the laptop’s drive (locked with Bitlocker and a PIN) and discuss a few peculiarities found along the way.

We break down the NotDoor Outlook-macro backdoor. It relies on Outlook Macros to monitor incoming emails for specific triggers, and when the system receives such an email, it executes code paths found in the VBA macro. This allows an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer while using an inconspicuous application as the C2.

The malicious domain is the digital hub of nearly all modern cybercrime. The life cycle of these domains is a frantic race against time, characterized by rapid setup, sophisticated evasion techniques, targeted threat intelligence tracking, and complex policy-driven dismantling. Understanding this timeline is essential for developing resilient cybersecurity defenses.

We analyze real-world examples of threat actors leveraging authentication coercion attacks. Our comprehensive breakdown covers the flow of authentication coercion, and includes a case study of a real attack in which threat actors exploited an obscure, rarely monitored remote procedure call (RPC) interface.

We present a framework using technology subgraphs, decomposition, and graph abstraction to model hybrid attack paths in BloodHound OpenGraph.

We analyze the integration of ChatGPT with Microsoft 365 and Entra ID, showing how OAuth consent flows can unintentionally expose vast amounts of enterprise data. It highlights that identity and consent - not malware - are now the main attack surface.

We discuss a new technique of dumping credentials cached in LSASS via the old version of the Windows Error Reporting binary as well as the related detection opportunities.

CVE-2025-59253: Demonstrating a vulnerability in Windows that leads to a low privileged user being able to delete the boot configuration data (BCD) through COM.

In this post I will show how, by combining two regular features, it was possible to figure out the phone number of almost any user on a large social media platform with millions of users.

We uncovered exploitation of an unauthenticated access vulnerability within Gladinet's Triofox file-sharing and remote access platform. This vulnerability, assigned CVE-2025-12480, allows an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads.

Root cause analysis for N-able N-central CVE-2025-9316 and CVE-2025-11700 which allow for reading files and and potentially compromising the N-central database which stores client credentials, API keys, and more.

A technical overview of Sturnus, a privately operated Android banking trojan with many fraud-related capabilities, including Device Takeover and capturing decrypted messages.

We demo a high-impact chained vulnerability in Supabase Cloud, dubbed SupaPwn, that could allow a tenant to escalate from a normal user account to controlling other instances within the same region where their database instance was created.

We detail how to combat Business Email Compromise with essential logging and investigation methods. We particularly focus on Unified Audit Logging (UAL) and mail access logs, as they provide critical visibility into the actions taken during an attack.

This article explores how fileless attacks operate, how to detect them using memory and behavioral indicators, and how to analyze them effectively with practical rule and code examples.

In this first part, we discuss the Kerberos authentication process and how delegation plays an important role in solving the double-hop problem.

We focus on Astro framework and show that a widely known standard request headers, combined with an opportunistic use of the URL parser, can lead to bypassing path‑based middleware protections and enable multiple exploits, ranging from simple SSRF to stored XSS, ending with a complete bypass of a previously disclosed CVE.

An exploit targeting V8 takes advantage of a very famous primitive and attracted a lot of attention, another the_hole leak with a new exploitation technique. The bug itself is very interesting and touches on various areas and concepts within V8. This is an analysis of this bug.

In this blog post, we dive into the architectural challenges Windows Hello for Business (WHfB) faces and explore how we can exploit them.

We explore ways to mod a Tapo C200 Rev.5 firmware in order to gain root access to a running device.

In this first part of the series, we walk through the main concepts of RealmDB, see how we can identify this type of database and how we can look at its content.

It was possible to bypass the "Secure Enrollment" feature in Netskope and enrol arbitrary users, without authentication or knowledge of the enrolment token for the target organisation - as long as an enrolment token for another, unrelated organisation is known.

We detail how to use responder, a widely used tool in penetration testing scenarios, and red teamers often use it for lateral movement across the network. Additionally, Responder offers many useful features, like LLMNR, NT-NS, and MDNS poisoning. It supports various Active Directory attacks and helps achieve objectives like hash capture or poisoned answer forwarding.