Security Review #296

We investigate the Intel Management Engine. It has been present in every Intel platform since 2006. It is not a vulnerability in the traditional sense. It is a feature, designed for remote enterprise management, that creates an attack surface below everything your operating system can see.

Autonomous AI agents can scan networks far faster than human defenders, but by deploying an active deception grid that injects millions of fabricated service responses and deliberately slows connections, defenders overload the agents' limited LLM context windows, degrade their decision‑making, and gain reliable, low‑false‑positive detection of the reconnaissance activity.

We rendered all 1,418 Unicode confusable pairs across 230 macOS fonts and measured visual similarity with SSIM. This empirical data proves that confusability is a font‑dependent risk, allowing security systems to weight threats by max SSIM (or per‑script thresholds) instead of treating every entry in confusables.txt as equally dangerous.

I detail a real, efficient RAG data poisoning attack . We go from the threat model, and the theory of the attack, to malicious text crafting and my personal implementation of PoisonedRAG tested against Claude and Mistral models.

We go over a very traditional approach to achieving initial access using email as our attack vector of choice: .various ways to send the email and using attachments versus links, and how to contend with MOTW (Mark of the Web) and SmartScreen security restrictions on your downloaded payloads for the modern Windows 11 environment.

We detail 3 vulnerabilities we found in SolarWinds Web Help Desk: two authentication bypasses (CVE-2025-40552 and CVE-2025-40554), and a Remote Code Execution via deserialization (CVE-2025-40553).

I detail a use-after-free affecting the Ancillary Function Driver for WinSock (afd.sys) that I reported to Microsoft and that was fixed as CVE-2026-21241.

When writing detections, there are a lot of Kusto specifics you need to take into account. In this first part of the series, we highlight key points to be considered to avoid creating blind spots in your detections or overwhelm your SOC with too many alerts.

OpenID Connect Authenticator for Tomcat contain a security flaw that allows attackers to bypass JWT signature validation easily. Within the JWT validation function isSignatureValid the signature of JWTs is not validated if the signature algorithm is unknown. However, the token is still treated as valid and passes verification.

Searching for malicious AI skills we found two binaries sharing the same name, one being malicious. This post details the forensic evidence that differentiated these two binaries, and the prompt injection attempt that introduced the malicious one.

We uncovered a ClickFix campaign using compromised legitimate sites to deliver a five-stage chain ending in MIMICRAT, a custom native C RAT with malleable C2, token theft, and SOCKS5 tunneling.

We explain how to take the best of 3 tools (Persistence Sniper, Trawler and Kansa) to detect persistence mechanisms. In particular, we demo how to use them to scan and triage, validate the output, and then sweep the environment to find siblings of the same implant.

TURN server security guide: hardening checklist, IP block lists, rate limiting, and deployment patterns for production WebRTC systems.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are only used for project identification and are not secret. However, their usage in Gemini allows an attacker to access uploaded files, cached data, and charge LLM-usage to your account.

The macOS Hardened Runtime prevents execution of unsigned code. Unsigned executables will not run, regardless of compilation settings. Processes cannot load unsigned shared libraries into apps with the Hardened Runtime. This article will detail how malware can still execute within such constraints.

We uncover DragFix, a ClickFix variant that evades clipboard monitoring by using the HTML Drag and Drop API to set data on the drag transfer - a completely separate data channel.

In this article, I'll walk you through some security vulnerabilities recently found in Total.js framework. I picked a few RCE paths that caught my eye and went down the rabbit hole, uncovering additional SSTI, command injection and blacklist bypass vulnerabilities.

A comprehensive understanding of this logging mechanism is often decisive when reconstructing an incident timeline. We review how they are stored, how they can be extracted and what are the key artifacts to ficus on during investigations.

We analyze an impersonated golang.org/x/crypto clone that exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.

The larger an organization becomes, the higher the probability that someone will eventually find a weak configuration or a small vulnerability that can be chained into a full domain compromise. We look at two PowerShell tools that can give a lot more visibility into security setup. The first is a workstation security audit script, and the second is an Active Directory ACL scanner.

This Moonrise remote access trojan analysis examines the malware’s WebSocket command-and-control architecture, JSON-based tasking model, and surveillance capabilities to understand its operational risk.

We discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. The vulnerability is triggered by a Host header injection in prerendered error pages, allowing full internal network access.

We found 2 critical vulnerabilities in Unitree Go2 robots: an unauthenticated DDS-Based Remote Code Execution (CVE-2026-27509 ) and a Mobile Database Tampering Leading to Remote Code Execution (CVE-2026-27510)

This series discusses how to build the logging foundation that exists independently of any single vendor or tool. This first part will focus on Windows Security events: the logon tracking and process execution telemetry that gives you session-level visibility into what's happening on your endpoints.

Port scanning via browsers is not new. What Local Network Access (LNA) changes is the quality of the signal. The LNA probe is a deliberate TCP handshake with a binary outcome, producing a clean, reliable timing split.

We walk through a memory‑forensics investigation of a Windows Server 2012 dump, using Volatility to extract system info, process lists, environment variables, command‑lines and privileges, and ultimately exposing two suspicious, randomly‑named binaries.

I found an exploitable stack-based buffer overflow in the update mechanism of an embedded system running on an STM32H5. What made this attack work is that the "public" ROM code was used to build a ROP chain.

We detail how we found CVE-2025-29969, a critical remote code execution vulnerability in the MS-EVEN RPC protocol that allowed low-privileged users to bypass share limitations and write arbitrary files on Windows 11 and Windows Server 2025 systems.

We will go through two PowerShell-based tools that are especially useful in defensive operations: DeepBlueCLI which helps defenders quickly analyze Windows event logs and highlight suspicious behavior, and WELA which focuses on auditing and hardening Windows systems based on predefined security baselines.

We exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. In this article we detail how we overcame this through a complex interplay of techniques.

This document provides a detailed, anonymized walkthrough of the process used to analyze the "AeroParts" mobile application. It covers everything from initial decompilation to the discovery of hardcoded keys and a critical Local File Inclusion (LFI) vulnerability.