I hope the field of computer science never loses its sense of fun.
Starred Articles
We detail a proof-of-concept system that automates the entire fuzzing workflow - from code analysis and test-harness generation to crash classification and report writing - using machine learning models to rank risky functions and an LLM acting as both an operator (generating harnesses, triaging crashes) and a supervisor that detects anomalies and self-heals the pipeline within tightly defined boundaries.
Squidbleed (CVE-2026-47729)
06/17/2026We detail Squidbleed, a heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration.
In this article we explain how most of the exploitation chains that are published can be mitigated by tried-and-true Linux security hardening, giving wary defenders time to patch while N-day attackers try their shiny new ./exploit.sh.
The QNAP Pattern
05/16/2026QNAP's NAS platform repeatedly produces the same class of flaws - pre‑auth command and SQL injections, world‑writable bind‑mounts, and container‑escape paths - because each plugin must implement its own authentication, database access and inter‑process communication instead of using a single, secure framework, leaving unsafe defaults as the norm and making privilege escalation trivial.
In this article, we'll cover what web cache poisoning vulnerabilities are, how they arise, a few effective ways to enumerate such vulnerabilities, and eventually move on to the practical exploitation part.
New Articles
In Part 2 of this two-part blog series, we'll focus on the security implications of the Clicking Once technology and examine how threat actors can weaponize ClickOnce features. We reveal what we believe to be a new abuse that security teams need to be aware of.
We found a vulnerability in Firefox summarization feature of its integrated AI chatbot. On a malicious page, attackers could perform prompt injection attacks via the page title.
In this article, we show how Samsung's FIVE integrity subsystem exposed an app-reachable kernel use-after-free with multiple exploit-relevant primitives.
CVE-2026-25860
06/21/2026This article provides technical details about CVE-2026-25860, a vulnerability in OpenClinic GA. We will be covering a reflected XSS flaw in DICOM image uploads and its real-world security impact.
Kerberos - Part 3: User Impersonation
06/16/2026In this third part, we will explore the techniques for leveraging collected credentials for lateral movement, privilege escalation, and persistence methods within the Active Directory environment.
A vulnerability in Cisco Unified Communications Manager (CUCM) allows unauthenticated attackers to arbitrarily write files in the server which in turn can be used to run arbitrary commands/code on the server.
Dataverse security usually centers on access controls, roles, and environment governance, but this research examines what a custom .NET plugin could expose from inside a Microsoft Dataverse sandbox container.
In this blog, we will discuss the concept of Global Azure Resource Manager (ARM) API endpoints and how they can be abused in certain Azure attack scenarios. We will explore Global ARM API abuse in Azure, guest tenant attack paths, Managed Identity abuse, GitHub token exposure, App Service compromise, and Azure Key Vault secret extraction techniques.
Kerberos - Part 2: Credential Access
06/15/2026In this second part, we will see how it is possible to enumerate domain user accounts and validate credentials through the error messages returned by the KDC to the client. In addition, user hashes can be obtained through encrypted parts included in AS-REQ/AS-REP and TGS-REQ/TGS-REP messages, and in case a user uses PKINIT as a pre-authentication method, it is possible to extract his NT/LM hashes using the UnPAC the hash technique.
Kerberos - Part 4: Delegations
06/16/2026In this fourth post, and last of the series, we will explore Kerberos delegations. While we primarily focus on the functionality of Kerberos delegations and abuse cases, we have also included brief notes and best practices for detecting potential abuses and misconfigurations, which will in turn help to enhance security postures against these risks.
Behind an "Export PDF" button there's almost always an open-source lib assembling HTML with user data, throwing it at a parser and returning the file. This article covers nine real 0-days found in these libs, from RCE to arbitrary file read. After the cases, I condense everything into a short methodology you can apply to any target.
Kerberos - Part 1: Overview
06/15/2026In this first part of the series, we review the key principles of Kerberos: concepts, encryption, authentication flow, and how to decrypt Kerberos traffic using wireshark.
We uncover OXLOADER: a new Windows loader evading detection by using .reloc section abuse and anti-VM checks to drop infostealer malware via Google Ads.
In this article, we explains how Windows DCOM lets applications run code on remote machines and how attackers exploit this to move laterally - by authenticating via stolen credentials, contacting the RPC endpoint on TCP 135, invoking trusted COM objects that launch payloads such as PowerShell - and provides a practical detection recipe along with simple mitigations.
Exploiting CVE-2024-1065 via the Page Cache
06/11/2026This post discusses a page cache exploitation strategy applicable to physical page use-after-free (UAF) vulnerabilities that land in the MIGRATE_MOVABLE pool. To demonstrate the technique, this post exploits CVE-2024-1065, a physical page UAF in the ARM Mali GPU kernel driver.
In this post, we examine a heap memory exposure issue in Microsoft Edge, explain how it can be abused in realistic attack chains, and outline practical detection and mitigation strategies for defenders who refuse to treat the browser as a harmless user interface shell.
TURN! - What could possibly go wrong?
06/17/2026In this blog post, we describe common pitfalls and attack vectors in TURN services. For practical testing and exploitation, we also introduce a new easy-to-use open-source tool called TURNado.
Two hardcoded symmetric keys protect the CargoWise application, one of the most widely deployed logistics software platforms in the world. In this article, we show the impacts of such erroneous design: authentication bypass, persistence, enumeration, etc.
Azure AD Graph Activity Logs land in Elastic with full ECS parsing. This post walks the loop end-to-end. Why visibility matters, how to ingest the logs into Elastic, how to generate realistic recon manually and with ROADrecon, and how to hunt the result in ESQL.
Client‑side bot‑detection code is always visible to attackers. Therefore it should be built as a constantly‑changing, branch‑less system that never ships its secrets and requires live server verification, making reverse‑engineering costly and ineffective. This strategy keeps defenses economical, invisible to offline attacks, and functional without user friction.
Fuzzing GPSD, Part 3: The Bugs
06/16/2026In this third part pf the series, we review the bugs from public GPSD work item #397, including Skytraq, NMEA, AIS, u-blox, AllyStar, passthrough, and client parser issues.
AutoJack is a novel exploit chain showing how a single malicious webpage can turn an AI browsing agent into a remote code execution vector on the host machine. By abusing trust in localhost, missing authentication, and unsafe parameter handling, attackers can trigger arbitrary process execution through AutoGen Studio's MCP WebSocket.
ldapnomnom claims it leaves no Windows audit logs. This post shows why Event 1644 misses LDAP Ping and where defenders can still catch it.
Bitwarden C2
06/22/2026I found a vulnerability allowing to create a full command-and-control channel through icons.bitwarden.net - commands in via PNG metadator polygots, results out via DNS - all traffic to a trusted domain on Azure.
Building Mythic Agents with LLMs
06/23/2026In this post I will walk through each major milestone that has been taken in my quest to explore this objective by building LLM-generated Mythic agents from prompt to deployment. Starting at the beginning, I’ll show what worked, what didn’t, and where this space is likely going next.
In this first part, we review what Microsoft Global Secure Access actually is - SASE/SSE, the three traffic profiles, the Windows client architecture, and the compliant-network check.
In this blog post, we will explore a complete exploit chain targeting Discuz! of one of the most popular Internet forum platforms in the world. We will see how what started as a curious look into its session management and input validation eventually evolved into a pre-authentication Remote Code Execution (RCE) attack.
In this first first part of the series we will review how the ClickOnce deployment technology works, as well as its security implications.
Exploiting Auth0 Defaults in XSS Attacks
06/21/2026We identified two noteworthy default configurations within Auth0 that may be exploited to pivot across applications within an Auth0 tenant from a single XSS vulnerability. This article demonstrates how the insecure implicit grant flow can be chained with other Auth0 misconfigurations to laterally move to other systems.
There is a documented enforcement gap in Conditional Access policies that apply to "all resources" but have an exclusion for at least one resource. What is not documented, is that this gap is much larger than what one would expect, and that the documented mitigation doesn't actually work.
Adversary-in-the-Middle (AiTM) attacks silently bypass traditional MFA in Microsoft Entra ID. In this article, we will break down how AiTM attacks work in the context of Microsoft Entra ID, and walk through the defensive layers that can meaningfully reduce your attack surface – from Phishing-resistant MFA and Conditional Access policies to Continuous Access Evaluation (CAE).
In this article, we detail an RCE vulnerability in Meccha Chameleon. It can achieved on any player system in a game lobby through a malicious Steam Workshop map.
We deep-dive into a critical input‑validation flaw in NVIDIA's Windows kernel display driver (nvlddmkm.sys) – CVE‑2026‑24190 – that lets low‑privilege users manipulate driver‑owned structures to achieve kernel‑mode code execution (and related bugs that cause DoS) on AI clusters, workstations, and virtualized environments.
This article provides a Windows Shimcache and Amcache forensics guide explaining whether these artefacts prove program execution, what they can show, and how to corroborate execution.
Still Recent
Fuzzing GPSD, Part 2: Lessons Learned
06/08/2026In this second part, we will see what changed after running gpsd_fuzzer for real, from target selection to mutation scheduling and crash triage.
We analyze CVE-2026-41096, a heap overflow in the Windows DNS client, triggered by a single UDP response. We walk through the binary diff, the root cause from Ghidra decompilation, and a working crash PoC.
One unauthenticated HTTP POST request to a fresh Hoppscotch instance let you collect the JWT signing key, leading to a JWT secret injection that grants full server compromise. A deep dive into CVE-2026-50160, four chained weaknesses, and what it means for your NestJS stack.
We review Exposed RDP, one of the most overlooked vulnerable exposures. Security teams are stretched thin, alerts are buried in noise, and known misconfigurations quietly slip through the cracks before anyone gets to them.
We analyze a Magecart family that runs its skimmer straight out of Stripe. The attacker stores the card stealer in a Stripe customer's metadata and runs it on checkout pages, then writes stolen cards back into the same account as fake customers. Stripe is both the command server and the exfiltration sink, all behind a domain almost no store would block.
Fuzzing GPSD, Part 1: The Lexer Harness
06/08/2026In this first part of the series, we will be building gpsd_fuzzer, a LibAFL structure-aware fuzzer for GPSD packet_parse and gps_lexer_t.
RCE in Google Cloud Production
05/21/2026A chance Discord message, two missing pieces, and one hour before the window closed: From info leak to RCE on Google Cloud. What started as a debugging endpoint info leak escalated into full remote code execution on Google Cloud's production environment.
We detail DirtyCBC, a Linux kernel page-cache poisoning vulnerability via AES-256 chosen-plaintext on the RxGK RESPONSE path and explain why authenticated encryption did not stop it.
In this report, we investigate a multi-stage malware execution chain that started with the execution of MicrosoftToolkit.exe. The attack included process discovery and termination attempts, followed by payload extraction and execution of an AutoIt loader.
Oldies but Goodies
Creative approaches to coding FUD Stagers
03/28/2026We review 2 variants to build porwershell-based fully undetected code (FUD) stagers, aiming at evading machine-learning and/or AI-powered detection engines in EDR.
Event 1644 shows localhost, hiding the attacker's real IP. By correlating Event 5156 with a 60-80ms timing window, you can attribute ADWS queries to their actual source - and the data was already in your SIEM.
Unearthed Arcana
Rusty Rootkit
08/02/2022We dive into Rusty Rootkit internals. Rust Rootkit is a proof‑of‑concept Windows kernel rootkit written in Rust that demonstrates core kernel‑mode techniques - DKOM‑based process/driver hiding, process protection tweaking, token‑privilege escalation, driver‑signature‑enforcement bypass, and kernel‑callback manipulation.