Security Review #289

An in-depth technical walkthrough of Vectored Exception Handling Squared (VEH2) implemented in Rust. We will see how hardware breakpoints and VEH can be combined to intercept execution without patching code.

This post explores a technique for establishing registry persistence and registry writes against HKCU at medium integrity that bypasses CmRegisterCallback monitoring entirely, thus not triggering registry callbacks. It relies on placing a crafted NTUSER.MAN that loads persistence keys into HKCU on next logon. The hive is loaded directly from disk without invoking registry APIs.

We analyze EDR-Freeze.exe, which puts EDR processes into a suspended "coma" state. We review how the attack works, its impact on EDR and identify detection opportunities. Eventually, we will write a Sigma rule for detection.

I detail how I found critical vulnerabilities in Petlibro smart pet feeders allowing complete account takeover via broken OAuth, access to anyone's pet data, device hijacking, and private audio recordings.

In this post, we analyze the memory dump of the IIS worker process of a WSUS server abused with CVE-2025–59287. From the dump, we will see that you can recover the in-memory HTTP requests and, in many cases, extract the payload itself.

In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

Deep dive into MacSync Stealer (UserSyncWorker variant), a MaaS infostealer featuring Gatekeeper bypass via notarized Swift dropper, code signature validation, and multi-layer payload obfuscation

We will see what artifacts can be recovered from Windows Notepad now that it supports multiple tabs, saving session state, and multi-level undo, what evidence can be lost if you close Windows Notepad, and what evidence can be lost if you open Windows Notepad.

I discuss a novel XS-Leak technique that turns ETag length differences into a cross-site oracle via 431 errors and History API and I created a CTF challenge as a proof of concept.

This blog walks through my analysis of a malicious Excel file that reconstructs its payload dynamically through hidden form objects, ultimately deploying Crimson RAT.

CVE-2025-14847 is a memory disclosure vulnerability in MongoDB’s zlib decompression that allows attackers to extract sensitive data - credentials, session tokens, PII - directly from server memory. In this blog, we explain how to detect exploitation of this vulnerability with Velociraptor.

We disclose LangGrinch (CVE-2025-68664), a critical LangChain Core serialization injection bug where untrusted, LLM-influenced metadata can be rehydrated as objects, enabling secret leaks and unsafe instantiation.

In this post, we'll explore Velociraptor’s major features, common Windows artifacts it supports, and practical VQL examples to extract actionable intelligence.

I discovered a vulnerability in Ruby which allows reading memory out of bounds of the allocated string buffer. The vulnerability exists within the instance method pack of the Array class, which defines how to convert elements into string and can be abused to generate negative repeat count to leak some of the memory.

We conducted a targeted analysis of popular HTML-to-PDF libraries and identified 13 vulnerabilities, demonstrated 7 intentional behaviors, and highlighted 6 potential misconfigurations. These included vulnerability classes such as Files or Directories Accessible to External Parties, Deserialization of Untrusted Data, Server-Side Request Forgery, and Denial of Service.

In this article, we explain how software supply chain attacks subvert trust in open source, CI/CD and registries, and how SBOM, provenance and signed builds mitigate risk.

We analyze the Evasive Panda APT's infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.

We analyzed the inner workingsof techniques used to bypass Windows' AMSI security feature, providing insights on detection, and crafted a variation of the techniques (a patchless AMSI attack called VEH2) that would allow an adversary to bypass AMSI without detection by silently setting a hardware breakpoint.

We explore a technique that will enable us to extract syscalls from a suspended process. We will first look at the attack path, then detail how to develop the attack, and – bonus - see how we can take it one step further.

We detail a bypass for CVE-2025-6023 security fix in Grafana. The exploit leverages two distinct bypasses that, when chained together, allow an attacker to achieve a full account takeover by loading a script from an external URL: a Server-Side Open Redirect and a Client-Side Path Traversal.

Velociraptor is a free an open-source digital forensic software that allows examiners to quickly find and gather data from remote Windows, Mac and Linux devices. This post will explain the basics of Velociraptor and explain a basic lab setup for this software.

In this article, we explore how to identify and exploit business logic flaws to bypass restrictions, escalate privileges, and introduce exploitable behavior.

This post describes CVE-2025-11001, a vulnerability in 7-Zip's module responsible for converting Linux symlinks to Windows ones (as well as other types of symlinks but this blog will focus on the Linux -> Windows side).

In this article, we will be covering what authentication vulnerabilities are and also help you identify and exploit simple as well as more advanced cases.

We detail a vulnerability in FortiClientMac, when exploited could lead a victim who is manipulated to click on a link and execute arbitrary code on their machine.

Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers.