Security Review #287

We peel back the layers on a threat involving an adversary who brought their own VM into an environment following aggressive spam bombing.

This post shows that modern bot detection is no longer about finding a single "bad signal". UA, Client Hints, JavaScript-exposed entropy, and sec-fetch metadata together give you a single identity map and you can easily check if this map is coherent and decide if you want an incoherent browser on you websites.

Weidentified an active phishing campaign that targets organizations that use Microsoft 365 and Okta for their single sign-on (SSO) and is able to hijack the legitimate SSO flow. In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your Okta and Microsoft 365 logs.

We discovered an authentication bypass affecting the webserver authentication type (CVE-2025-66039), numerous authenticated SQL injections (CVE-2025-61675) and an authenticated file upload leading to remote code execution (CVE-2025-61678) in FreePBX.

In this post, I explain how I was able to escalate a self-XSS to an account takeover by chaining CSRF and cookie tossing, while bypassing HttpOnly.

We found several vulnerabilities in mintlify, a b2b saas documentation platform, including rce (CVE-2025-67843), targeted xss (CVE-2025-67842), and a patch bypass (CVE-2025-67845).

We study a variant of GachiLoader deploys a second stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection. This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.

We deep dive into the details of CVE-2025-21042, an out-of-bounds write in libimagecodec.quram.so, the Samsung's Quram image parsing library.When exploited, it allows remote attackers to execute arbitrary code.

We uncovered CVE-2025-34352, a critical vulnerability in the JumpCloud Remote Assist for Windows agent. he flaw allows any low-privileged local user to exploit insecure file operations - arbitrary file write/delete - performed by the agent running as NT AUTHORITY\SYSTEM within the user’s temporary directory.

We analyze th DNS C2 variant of Joker Screenmate. Our investigations into DNS-based TXT record abuse for command and control demonstrates several fundamental principles that can help guide modern threat hunting operations.

We analyze the network activity of the Mythic framework, focusing on agent-to-C2 communication, and use signature and behavioral analysis to create detection rules for Network Detection and Response (NDR) solutions.

During a pentest of an API integrated with Temenos using OFS, I uncovered a previously undocumented attack vector that I call OFS Field Injection. Improperly sanitized user input was inserted directly into OFS request strings, enabling the creation of poisoned transactions and theft of funds with minimal trace. The post explains how OFS works, and how this attack vector emerges.

In this deep dive, I'll show you how I built an AI-powered auto-exploiter that combines LangChain, LangGraph, and the tiny but mighty qwen3:1.7b model to create an autonomous penetration testing agent.

We walk through an entire Ink Dragon kill chain, including web-centric initial access, hands-on-keyboard activity, staged loaders, privilege escalation, and credential-harvesting components, and lateral movement. We also document multiple delivery and persistence patterns, and unpack a new variant of the FinalDraft backdoor.

A technical guide to forensic techniques for retrieving lost or forgotten licence keys from IBM AS/400 systems.

We dive into abusing automatic processing of calendar invitations in Outlook and Google Workspace to deliver stealthy social engineering.

In this article, we'll present a PoC to extend FullMoon, which will allow us to spoof the call stack to our call, hiding the real origin of the call during the program execution, and avoid several indicators and traces usually left with the adoption of Moonwalking. Finally, we'll also encrypt our malware while executing virtually any target Windows API.

A detailed analysis of how React2Shell (CVE-2025-55182) was used to launch a multi-stage attack against a production Next.js app, exposing Node.js systems to real-world exploitation techniques and operational C2 infrastructure.

In this article, we showcase an interesting expression‑parser bug in the Beego ORM that we used to bypass ORM Leak protections in Harbor.

The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. During our research, we discovered several vulnerabilities that, when combined, allow for arbitrary code execution from within the multiplayer mode.

We discovered CVE-2025-64669, a local privilege escalation flaw in Windows Admin Center enabling SYSTEM-level compromise. The root cause lies in insecure directory permissions where the C:\ProgramData\WindowsAdminCenter folder is writable by all standard users.

Every application built on Firebase that we've looked at has had the same vulnerabilities. These common vulnerabilities aren't hard to prevent but they're easy to overlook.

We analyse an HijackLoader variant that implements new techniques designed to increase the defense evasion capabilities of the loader. It combines a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe, and an uncommon combination of process doppelgänging and process hollowing techniques.

Some novel techniques for exploiting server-side template injections (SSTIs) with complex payloads that leverage default methods and syntax from various template engines. No quotation marks or extra built-in plugins needed.