Security Review #304

We demonstrate how a trust failure in the handling of SSH by iTerm2 can turn "cat readme.txt" into arbitrary code execution.

We use Linux’s IP_TRANSPARENT and TPROXY features in a network‑namespace to bind a single socket to every one of the 65 535 TCP/UDP ports on a public IP, and then leverage a local LLM to turn the same transparent listener into a self‑learning honeypot that automatically generates protocol‑specific plugins and responses.

Code execution in Kitty and xfce4-terminal by simple drag-and-dropping specially crafted file at the cursor position.

This is a crash course on reading, interpreting, and manipulating assembly code, which remains the cornerstone of a reverse engineer’s skill set. By the end of this training, you will have developed the practical skills necessary to begin analyzing typical Windows malware samples.

In this article, we're exploring how to abuse installed browser extensions to extend our access on a compromised machine.

We're moving past theory and discuss practice. That means describing two real-world credential systems that are actually used in our world. The first is Privacy Pass, which is widely used by Cloudflare and Apple and other companies. Then we'll discuss a new proposal for anonymous age verification that Google is in the process of standardizing.

Reviewing existing Conditional Access policies is one of the most important tasks in an Entra ID security assessment. This article highlights common issues that we regularly observe in practice, including coverage gaps and design weaknesses that reduce the intended security benefits.

Authentication, as OWASP states, is the process of verifying that an individual, entity, or website is who it claims to be. In this article, we'll walk through some of the main authentication vulnerability tests. With each one, we will provide a methodology breakdown of how to test, remediate, and help properly exploit.

Anthropic's MCP gives a direct configuration-to-command execution. This logic opens a wide range of attack surfaces, when combined with user input as it can allow direct arbitrary command execution with no input sanitization.

We discovered two separate RCE vulnerabilities in Spinnaker (CVE-2026-32604 and CVE-2026-32613) that let low-privilege authenticated users execute code on Clouddriver and Echo, enabling credential theft and pivots into production cloud environments.

We explore the RedSun exploit, a new tool that escalates privileges on Windows systems, leveraging Microsoft Defender's features to execute malicious code.

In this blog I am going to show you one-way of doing module stomping that is pretty ideal to avoid most of the IOCs that you’d have with the normal module stomping.

A technical DFIR case study detailing Guloader execution, persistence, in-memory payload delivery and artefacts observed during a ransomware investigation.

This article explores a ClickFix-style social engineering technique where users unknowingly execute malicious commands, bypassing traditional security controls.

A client-side path traversal in the front-end's URL builder turned into arbitrary PUT/DELETE on the API, then chained with an inherited-property lookup bug to bypass 2FA

Storm is a newly discovered infostealer-as-a-service that packages browser encrypted credential stores and ships them directly to attacker-controlled infrastructure, where decryption happens server-side, evading the entire class of endpoint detection designed to catch infostealers performing local database access.

We explore how to make it work for us - through automation, instrumentation, and scripting. In this first part we will focus on WinDBG(X) -c startup flag, events & exceptions, event-driven instrumentation, built-in scripting, and PyKD.

We investigate how the use of hidden virtual machines (VMs) enables long-term access, credential harvesting, data exfiltration, and PayoutsKing ransomware deployment

Static analyzers drown you in false positives. LLM-first tools burn 300k tokens and hallucinate. We split the problem - a deterministic pattern scanner pre-filters, a small local LLM verifies each candidate in isolation. Architecture, NASA/IDF numbers, and honest limits.

What started as ClickFix has spawned a growing family of variants, each finding a new way to trick users into executing attacker-supplied commands. FileFix, DragFix, InstallFix, ToastFix. This post walks through the full family tree: what each technique does, how it differs from the others, and where we expect this category to go next.

We found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts.

Windows Named Pipes as IPC mechanisms (Inter-Process-Communication) allows communication between privileged and unprivileged processes. We detail how they can be abused by a low privileged process to attack an elevated process.

We dive into a new scanning campaign focused around the WordPress CVE-2018-14028 vulnerability, but departing from traditional webshell deployment attacks which we would normally expect to see with this vulnerability, the malicious actor is attempting to utilize existing, and potentially long-forgotten, webshells.

The pipe_buffer kernel object is popular among Linux kernel security researchers because it allows building strong exploit primitives. Experimenting with my personal project kernel-hack-drill revealed some interesting properties of pipe_buffer, which I shared in this article.

CVE-2026-34621 is a prototype pollution attack in Adobe Acrobat makes every object in the JavaScript engine report that it's trusted, leading to arbitrary code execution on Windows and macOS.

Technical analysis of a new variant of the LOTUSLITE backdoor, delivered via DLL sideloading using a legitimate Microsoft-signed executable.

Ghidra, radare2, IDA Pro, and Binary Ninja Sidekick arbitrary code execution vulnerability exposed.

A detailed guide to emulating advanced phishing attacks on GitHub for Red Team operations, leveraging fake issues and notifications to exploit a TOCTOU race condition, tricking developers into authorizing malicious OAuth apps for initial access while bypassing MFA and using only trusted infrastructure.

Pack2TheRoot (CVE-2026-41651) is a local privilege escalation (LPE) vulnerability that affects multiple Linux distributions in default installations. It lies in the PackageKit daemon, a cross-distro package management abstraction layer, and enables an unprivileged attacker to install or remove system packages without authorization.

CVE-2023-33538 allows for command injection in TP-Link routers. We detail exploitation attempts with payloads characteristic of Mirai botnet malware.

We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox.

In this blog, we provide concrete examples of how threat actors are weaponizing legitimate automation platforms to facilitate sophisticated phishing campaigns, ranging from delivering malware to fingerprinting devices. By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access.

A double free vulnerability has been found in the Windows Internet Key Exchange (IKEv2) service. The vulnerability is due to an error when processing fragments. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the target server. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution.

Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access. Once inside, attackers can abuse legitimate tools and standard admin protocols to move laterally and exfiltrate data while appearing as routine IT support.

We explore the stealthy five-stage malware chain involving Direct-Sys Loader and CGrabber Stealer, revealing their sophisticated evasion tactics and data exfiltration methods.

RFC 8725 - fifteen JWT security rules from the standard's authors. For each - which attack from the series it prevents, which CVEs exist, and why 65% of applications don't check aud. Plus three new rules from the 2026 bis update.

A signature of all zeros passes ECDSA verification on Java 15-18. For any message, with any key. Five lines of Python - and you're admin.

Mailbox rules are a high-risk post-exploitation tactic. In this article, we detail how attackers abuse native mailbox rules for exfiltration, persistence, and communication manipulation.

The JWT header can contain a URL, and the server will go to that URL to download the key for signature verification. This isn't a bug - it's RFC 7515.

Take the server's public key from open access, sign a token with it - and the server accepts it. The signature exists, the signature is correct, but the token is forged.

The RFC doesn't define the structure of kid. Developers use it as a file path, SQL parameter, or command argument. Each option is a separate class of vulnerability.

The series finale. Shor's algorithm breaks every asymmetric JWT algorithm. ML-DSA signatures at 2.4 KB don't fit in a cookie. SD-JWT for selective disclosure. Harvest Now, Decrypt Later - why migrating JWE to post-quantum cryptography is needed now.

In this first part we introduce the notion of anonymous credentials as a technique that allows users to authenticate to a website without sacrificing their privacy.

How Anthropic's refusal test string can be abused to stop streaming responses and create sticky failures.

Taking a real token and dissecting it like a pathologist: header, payload, signature, Base64url, claims, edge cases.

Which library is running on the backend determines which attacks will actually land: a ranked breakdown of the most vulnerable JWT libraries, a tier classification from recommended to dangerous, and passive fingerprinting techniques that identify the stack from the token header alone.

The math behind HMAC, RSA, and ECDSA from an attacker's perspective: why Sony lost the PlayStation 3 to a single repeated number, and how leaking just a few nonce bits is enough to recover a private key.

JWT isn't perfect - 70+ CVEs over ten years. We break down the alternatives: PASETO without the alg field, Macaroons with unique attenuation, opaque tokens with instant revocation, Google/Netflix server-side sessions. For each - what to break on a pentest.

At the seams between OAuth and OIDC components, attacks emerge that don't exist in isolation: token confusion, cross-service relay, ALBeast in AWS, and DPoP bypass — with real CVEs and step-by-step pentest checks.

70+ CVEs over ten years. A bug from 2015 still fires in 2026. Let's figure out why JWT stubbornly remains broken.

JWT contains everything for an offline attack: message and signature. Hashcat on GPU runs through 150 million HS256 per second. The secret 'secret' is cracked in 2 seconds.

Leveraging LLMs and patch diffing, this article details a Use-After-Free vulnerability in Windows DWM, demonstrating a reliable exploit that achieves escalation from low-privileged user permissions to SYSTEM.

The built-in Azure File Sync Administrator role includes permissions that go beyond the usual Microsoft.StorageSync actions and can be used to pull sensitive files from the machine and potentially lead to full local administrator compromise.

Leak three bits of the nonce from each ECDSA signature — and after 100 signatures you have the full private key. Minerva, TPM-FAIL, EUCLEAK: real attacks on real devices, and what's actually applicable on a web pentest right now.

A technical analysis of CVE-2026-20079, an authentication bypass and remote code execution vulnerability in Cisco Secure Firewall Management Center.

JWE is the encrypted side of JWT that almost nobody talks about: five parts, two encryption layers, and a full zoo of attacks - Invalid Curve on ECDH-ES, Bleichenbacher on RSA1_5, Padding Oracle on AES-CBC, PBES2 DoS with one request, and the forbidden attack on AES-GCM.

CVE-2025-20188 (CVSS 10.0): eight characters 'notfound' in a Cisco IOS XE Lua script = root RCE on enterprise equipment. 17% of JWT CVEs in 2024-2026 are hardcoded secrets. Where to look: git history, Docker layers, JS bundles, source maps, firmware.

Found a Reflected XSS? If the app stores JWTs in localStorage, that's not just alert(1) - it's a full takeover of every account. We cover theft from every storage type, CSP bypass via WebRTC and CSS injection, and the only defenses that actually work.

The RFC requires every JWT library to support the none algorithm. Change one field in the header - and the server skips signature verification.

A step‑by‑step audit‑first approach to enable LDAP signing in Windows Server 2025 to protect Active Directory from man‑in‑the‑middle and replay attacks.

One of the first stack overflow practical guide on PC based systems, easily teaching how to use overflow exploits on various Unix systems.

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

We uncover the overlooked vulnerabilities in Active Directory Certificate Services, allowing attackers to obtain forged certificates, impersonate any user or machine, and conduct domain‑wide escalation and persistence.