wild ibex
Vote here when would you prefer me to do weekly streams about hacking:
Twitter
boreal karma
<@&937047799441268746> ^
wild ibex
Thx
wild ibex
First cloud hacking twitch session scheduled next Wednesday (7th) at 6.30pm(CET)!
I will be explaining hacking techniques in twitch Wednesdays at 5.30pm(UTC), 6.30pm(CET), 12.30(EST), 11pm(IST).
If you want to learn about hacking cloud, kubernetes, web and resolve interesting CTFs feel free to follow!
Twitch: https://lnkd.in/d2bYdUNS
Youtube: https://lnkd.in/damJC2JX
Twitter: https://lnkd.in/dbZ9s8t4
misty forge
Any regedit kings around?
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
limber badge
free nudes
https://discord.gg/nudeporn
@everyone @here
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 New content has been added to the following pages 📓
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks! 📓
#hacktricks #hacking
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks 📓
#hacktricks #hacking
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks 📓
#hacktricks #hacking
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks 📓
#hacktricks #hacking
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks 📓
#hacktricks #hacking
deep valeBOT
📓 Top 5 modified HackTricks pages in 2 weeks 📓
#hacktricks #hacking
verbal jolt
Hacking
deep valeBOT
🛠️ Tool | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.bughunt.com.br/cobalt-strike/
Cobalt Strike is a legitimate red team tool now heavily abused for stealthy cyberattacks, enabling credential theft, lateral movement, and data exfiltration even in critical government networks.
deep valeBOT
🛡️ AD CS | 💣 Kerberos | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
Technical guide on AD CS abuse, explaining Kerberos PKINIT errors, exploitation steps, and tool usage for privilege escalation in Active Directory.
🌐 Web | 🛡️ Threat Group | 💣 Ransomware | 💉 Social Engineering
🔗 Original article: https://unit42.paloaltonetworks.com/muddled-libra/
Muddled Libra is a technical threat group using phishing, social engineering, RMM tools, and ransomware to breach enterprises, evade defenses, steal data, and extort victims. Their attacks are mapped to MITRE ATT&CK and involve advanced persistence and credential theft.
🤖 AI | 💉 Prompt Injection | 💣 RCE | 🛡️ OWASP
🔗 Original article: https://unit42.paloaltonetworks.com/agentic-ai-threats/
Hands-on guide to exploiting and defending agentic AI apps: prompt injection, RCE, SQLi, BOLA, and more, with attack payloads, code, and mitigations.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/practical-guide-path-traversal-attacks
A technical, actionable guide to exploiting and mitigating path traversal in web apps/APIs, covering payloads, bypasses, fuzzing, real-world CVEs, and escalation to RCE. Includes code, attack vectors, and defense strategies.
🌐 Web | 💣 RCE | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://sensepost.com/blog/2025/browser-cache-smuggling-the-return-of-the-dropper/
Browser Cache Smuggling abuses browser cache and DLL hijacking to stealthily deliver and execute malware via trusted apps like Teams. Includes code, OPSEC tips, and mitigations.
🛠️ Tool | 🛡️ Windows | 💰 Bug Bounty | 🔨 Registry
🔗 Original article: https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.html
Explains stealthy Windows secrets extraction using <code>regsecrets.py</code> and <code>dpapidump.py</code>, which avoid EDR detection by querying the registry directly and bypassing ACLs. Includes technical steps, code, and impact.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔒 Phishing
🔗 Original article: https://research.checkpoint.com/2025/19th-may-threat-intelligence-report/
Critical RCE flaws in SAP NetWeaver (CVE-2025-31324/42999) and Fortinet (CVE-2025-32756) are exploited in the wild. Chrome (CVE-2025-4664) faces a high-severity data leak bug. Major phishing and ransomware campaigns are also detailed.
💣 RCE | 🛡️ CVE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.thezdi.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results
Pwn2Own Berlin 2025 Day Two saw 20 unique 0-days exploited live, including RCEs and privilege escalations in SharePoint, VMware ESXi, Firefox, Redis, VirtualBox, and RHEL using advanced memory and logic flaws.
🌐 Web | 🤖 AI | 💰 Bug Bounty | 🔒 Access Control
🔗 Original article: https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
Attackers can exploit Microsoft Copilot for SharePoint to extract sensitive data, bypass permissions, and evade detection using AI agents. Custom agents increase risk by enabling data aggregation and knowledge base poisoning.
🛡️ DFIR | 🛠️ Tool | 🔒 Forensics | 💻 Windows
🔗 Original article: https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfir-techniques-for-dealing-with-rdp-bitmap-cache/
Guide to extracting and reconstructing RDP Bitmap Cache for DFIR: use BMC-Tools and RDPCacheStitcher to recover user activity and credentials, even after log deletion.
🌐 Web | 🛡️ AppSec | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://trustedsec.com/blog/appsec-cheat-sheet-session-management
A technical, step-by-step guide to identifying and exploiting web session management flaws, covering token analysis, randomness, fixation, destruction, and tool-based testing for security professionals.
🛡️ CVE | 💣 RCE | 🌐 Web | 💻 Malware
🔗 Original article: https://research.checkpoint.com/2025/5th-may-threat-intelligence-report/
Multiple critical vulnerabilities and malware: SonicWall, Apple AirPlay, NVIDIA Riva, Magento supply chain, Outlaw botnet, and Gremlin Stealer. Includes CVEs, attack vectors, and exploitation details.
🛡️ CVE | 💣 RCE | 🌐 Web | 🧪 AI
🔗 Original article: https://www.thezdi.com/blog/2025/5/15/pwn2own-berlin-2025-day-one-results
Pwn2Own Berlin 2025 Day One featured technical exploits for privilege escalation and sandbox escapes on Linux, Windows, VirtualBox, Docker, and AI, using UAF, integer overflow, OOB write, and type confusion bugs.
📱 Android | 🛡️ Data Leak | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://ndevtk.github.io/writeups/2025/06/06/android-leak/
A race condition in Android's lock screen lets attackers briefly view sensitive app content or install apps without unlocking, exposing private data.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.rapid7.com/2025/06/04/rapid7-q1-2025-incident-response-findings/
Technical review of Q1 2025 attacks: MFA bypass, Fortinet (CVE-2024-55591), SimpleHelp RCEs, SEO poisoning, BunnyLoader, and ransomware. Includes attack chains, exploitation steps, and impact.
🌐 Web | 🛡️ Kerberos | 💣 Relay Attack | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with.html
Shows how to exploit Kerberos relay over HTTP using LLMNR poisoning with Responder and krbrelayx, including all technical steps, commands, and real-world impact.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ CVE
🔗 Original article: https://github.com/Geidalaodicha/burpGPTplus
burpGPTplus is a Burp Suite extension using GPT-3.5-turbo to automate web vulnerability analysis, focusing on OWASP Top 10 risks, with free API relay support.
🛠️ Tool | 📱 Mobile | 🌐 Web | 🔬 Reverse Engineering
🔗 Original article: https://sensepost.com/blog/2025/using-improving-frida-trace/
A technical guide to customizing frida-trace for large-scale method hooking and improved output, making mobile app reverse engineering and dynamic analysis more effective.
💣 Malware | 🌐 Web | 🛠️ Tool | 💰 Cryptominer
🔗 Original article: https://unit42.paloaltonetworks.com/blitz-malware-2025/
Blitz is a two-stage Windows malware spread via backdoored game cheats, using Hugging Face Spaces for C2 and payloads. It steals info, performs DDoS, mines Monero, and uses advanced anti-sandbox and persistence techniques.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔨 Supply Chain
🔗 Original article: https://research.checkpoint.com/2025/28th-april-threat-intelligence-report/
Critical zero-days in SAP NetWeaver (CVE-2025-31324), Craft CMS, and Yii enable RCE and data theft. XRP Ledger's NPM package was backdoored. OAuth phishing and ransomware trends are also detailed.
🌐 Web | 💣 Malware | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/
Fake Kling AI sites deliver disguised malware using .NET Native AOT loaders and PureHVNC RAT, stealing credentials and crypto assets via advanced evasion, process injection, and anti-analysis. Highly dangerous and technically detailed.
🌐 Web | 💣 RCE | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://www.openbugbounty.org/blog/how-i-found-a-zero-day-in-w3-schools/
Command injection in W3Schools C Compiler via unsanitized system() usage allows RCE. Exploitable with crafted input. Mitigation: avoid system(), sanitize input.
🌐 Web | 💉 NoSQLi | 🛡️ Injection | 💣 Data Exfiltration
🔗 Original article: https://sensepost.com/blog/2025/nosql-error-based-injection/
Shows how to exploit MongoDB NoSQL injection using error-based techniques to quickly exfiltrate full documents, with step-by-step payloads and clear impact.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://xbz0n.sh/blog/adcs-complete-attack-reference
A detailed, hands-on guide to exploiting ADCS (Active Directory Certificate Services) misconfigurations, covering ESC1–ESC16 attacks with real commands, code, and tools for privilege escalation and persistence.
🛡️ Firmware | 🛠️ Tool | 🔍 Reverse Engineering | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/sonicwall-decrypting-sonicosx-firmware
Step-by-step guide to decrypting SonicWall SonicOSX firmware, including key extraction, decryption logic, and the Sonicrack tool for automated analysis.
🛠️ Tool | 🌐 Web
🔗 Original article: https://portswigger.net/bappstore/9952290f04ed4f628e624d0aa9dccebc
MCP Server is a Burp Suite extension for integrating with AI clients via the Model Context Protocol, enabling automated or AI-assisted security testing. No vulnerabilities or exploits are discussed.
🛡️ CVE | 💣 RCE | 🔨 Kernel | 💻 Windows
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html
Deep technical dive into Windows Registry vulnerabilities, including memory corruption, logic bugs, and OOM exploitation. Explains exploitation steps, CVEs, and attack vectors for local privilege escalation and system compromise.
🛠️ Tool | 💻 Active Directory | 🔨 BloodHound | 🔒 PrivEsc
🔗 Original article: https://github.com/cogiceo/GPOHound
GPOHound is a tool for dumping and analyzing GPOs from SYSVOL, revealing insecure AD settings and privilege escalation paths, and enriching BloodHound attack graphs.
🛡️ Credential Access | 🛠️ Red Team | 💻 Windows | 💰 Bug Bounty
🔗 Original article: https://trustedsec.com/blog/red-team-gold-extracting-credentials-from-mdt-shares
Misconfigured MDT shares often expose plaintext credentials (domain join, admin, BitLocker, etc.) to any AD user. Attackers can extract these from INI/XML files, enabling privilege escalation and domain compromise.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
Step-by-step guide to extracting privileged credentials from Symantec Management Agent (Altiris) using EvilAltiris, enabling privilege escalation and lateral movement. Includes code, cryptographic details, and remediation advice.
🌐 Web | 🛡️ CVE | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://posts.specterops.io/do-you-own-your-permissions-or-do-your-permissions-own-you-c829a91f5e45?source=rss----f05f8696e3cc---4
Explains how BlockOwnerImplicitRights in AD blocks privilege escalation via object ownership, details BloodHound's new logic for accurate attack path mapping, and covers CVE-2021-42291.
⛓️ Web3 | 🛡️ CVE | 🛠️ Tool | 💣 RCE
🔗 Original article: https://blog.trailofbits.com/2025/05/30/a-deep-dive-into-axioms-halo2-circuits/
Trail of Bits' audit of Axiom's Halo2 ZKP circuits found critical under-constrained bugs and logic errors that could break blockchain security. The post details technical pitfalls, exploitation, and remediation for ZKP circuit developers.
🛡️ CVE | 💣 RCE | 🔨 Exploit | 🌐 Web
🔗 Original article: https://research.checkpoint.com/2025/21st-april-threat-intelligence-report/
Covers NTLM hash disclosure (CVE-2025-24054), iOS RCE flaws, Oracle's critical patch, Waiting Thread Hijacking injection, and BYOVD ransomware with technical exploitation details and impact.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e?source=rss----f05f8696e3cc---4
NTLM relay attacks remain a major threat in Active Directory. This post details technical exploitation, attack paths (SMB, LDAP, ADCS), and new BloodHound features for visualizing and mitigating these risks.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/4/8/the-april-2025-security-update-review
Covers April 2025 Microsoft and Adobe patches: critical RCEs, EoPs, and SFBs, including actively exploited Windows EoP (CVE-2025-29824) and wormable LDAP/RDS RCEs. No exploitation reported for Adobe bugs.
📱 Mobile | 🛠️ Tool | 💉 SSL Pinning | 🔎 Reverse
🔗 Original article: https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
Step-by-step guide to bypassing SSL pinning in Flutter apps using reFlutter (static patching) and Frida (dynamic hooking), enabling HTTPS interception for security testing.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://github.com/fearsoff-org/CVE-2025-49113
Critical RCE (CVE-2025-49113) in Roundcube ≤ 1.6.10 via PHP object deserialization. PoC and Docker test setup included. Patch immediately.
💣 RCE | 🛡️ CVE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.offsec.com/blog/cve-2025-0655/
Critical RCE in D-Tale (CVE-2025-0655): Unauthenticated attackers can enable custom filters and execute arbitrary Python code via API, leading to full server compromise. Patch in v3.16.1.
🛡️ CVE | 💉 NTLM Relay | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking.html
A new technique forces Windows SMB clients to fall back to WebDav, enabling HTTP-based NTLM/Kerberos relaying via multicast poisoning. This increases the impact of attacks in AD environments.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.offsec.com/blog/cve-2025-24893/
Critical unauthenticated RCE in XWiki (CVE-2025-24893) via SolrSearch macro lets attackers run arbitrary Groovy code remotely. Exploitable with a simple GET request; PoC available. Patch immediately.
🛠️ Tool | 🌐 Web | 🤖 AI/ML | 💰 Bug Bounty
🔗 Original article: https://sensepost.com/blog/2025/capchan-solving-captcha-with-image-classification/
A technical guide to automating CAPTCHA solving using image classification and machine learning, featuring the open-source tool capchan. Includes code, attack steps, and practical use for security testing.
🛠️ Tool | 🌐 Web | 🤖 AI | 💉 XSS
🔗 Original article: https://portswigger.net/research/shadow-repeater-ai-enhanced-manual-testing
Shadow Repeater is a Burp Suite extension that uses AI to generate and test payload variations, automating the discovery of XSS, path traversal, and novel web vulnerabilities.
⛓️ Web3 | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://medium.com/immunefi/top-3-bugs-from-the-thundernft-invite-only-program-373da9824cc9?source=rss----6cdc579be8a0---4
Three major ThunderNFT bugs: NFT theft via order update, ERC1155 under-delivery due to hardcoded logic, and sellers blocked from accepting bids. All issues are now fixed.
🌐 Web | 🛡️ CVE | 💣 Auth Bypass | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
CVE-2024-53704 lets attackers hijack SonicWall SSL VPN sessions by sending a base64-encoded null cookie. Exploit is simple and critical; patch immediately.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🌐 Web
🔗 Original article: https://github.com/kn0x0x/CVE-2025-32756-POC
Critical unauthenticated RCE in Fortinet (CVE-2025-32756) via stack buffer overflow in /remote/hostcheck_validate. Python PoC available. Patch immediately.
🛠️ Tool | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
Step-by-step guide to exploiting VSCode extensions for phishing and RCE via the vscode:// URI handler and marketplace spoofing, with full code and mitigation steps.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 💻 Windows
🔗 Original article: https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
CVE-2024-20656: Local privilege escalation in Visual Studio's VSStandardCollectorService150 via DACL reset and junction abuse, enabling SYSTEM access. Exploit uses VSDiagnostics.exe, NTFS junctions, and MSI repair. Patched Jan 2024.
🌐 Web | 🛡️ CVE | 💣 DoS | 🛠️ Tool
🔗 Original article: https://bishopfox.com/blog/sonicwall-sonicos-versions-7-1-x-and-8-0-x
Remote unauthenticated DoS (CVE-2025-32818) in SonicWall SonicOS SSL VPN lets attackers crash and reboot devices via crafted HTTP POST requests. Update to 7.2.0/8.0.1 or disable SSL VPN.
🌐 Web | 🛡️ CVE | 🔑 SAML | 💣 RCE
🔗 Original article: https://portswigger.net/research/saml-roulette-the-hacker-always-wins
Chained round-trip and namespace confusion attacks in ruby-saml let attackers bypass SAML authentication and gain admin access on GitLab by exploiting XML parser inconsistencies.
🌐 Web | 🛡️ CVE | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://posts.specterops.io/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4?source=rss----f05f8696e3cc---4
Step-by-step guide to extracting and abusing PRT cookies from device-joined Windows hosts for SSO/MFA bypass and post-exploitation in Azure/Entra ID environments, with detailed enumeration, extraction, and detection techniques.
🌐 Web | 💰 Bug Bounty | 💣 ATO | 🛡️ Auth Bypass
🔗 Original article: https://www.openbugbounty.org/blog/1120-ato-bug-in-twitters/
A Twitter bug let attackers with a hijacked session bypass password checks, delete/add phone numbers, disable 2FA, and fully take over accounts using a crafted URL.
🌐 Web | 🛡️ APT | 💉 Phishing | 🛡️ Threat Intel
🔗 Original article: https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/
Iranian APT cloned a model agency site, using obfuscated JavaScript for advanced visitor fingerprinting and social engineering. Data is exfiltrated via POST, enabling targeted attacks. No CVEs, but detailed technical analysis and IOCs are provided.
🌐 Web | 🛡️ LLM | 💉 Prompt Injection | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-platforms/
Compares LLM guardrails across platforms, showing how prompt injection and role-play can bypass filters. Strict settings cause false positives, especially for code prompts. Output filters rarely block harmful content. Security pros must test and tune guardrails for real-world attacks.
🌐 Web | 💉 Prompt Injection | 🛡️ Protocol | 💣 Exploit
🔗 Original article: https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/
Explains how MCP servers can exploit prompt injection in tool descriptions to bypass security controls and manipulate AI models before any tool is used, leading to severe risks like code exfiltration and privilege escalation.
💣 RCE | 🛡️ CVE | 🛠️ Tool | 🌐 Web
🔗 Original article: https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html
Chained vulnerabilities in Neverwinter Nights: Enhanced Edition allow remote code execution via stack overflow, out-of-bounds write, and ASLR bypass. Full exploit and PoC provided.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
CVE-2023-26258 in ArcServe UDP allows attackers to bypass authentication, extract and decrypt admin credentials, and gain RCE using crafted requests and provided tools.
💣 RCE | 🌐 Web | 🛡️ CVE | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/etude-de-cas-comment-hunters-international-et-ses-affilies-ciblent-vos-hyperviseurs.html
Step-by-step technical analysis of a Hunters International ransomware attack on VMware ESXi: from malvertising and credential theft to lateral movement, data exfiltration, and deployment of a custom, obfuscated Rust ransomware.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed1616?source=rss----f05f8696e3cc---4
Step-by-step guide to extracting and decrypting SCCM forest discovery credentials, including code, API endpoints, and tool usage. High risk for lateral movement; essential for red teamers and defenders.
📱 Android | 🕵️ Spyware | 🦠 Malware | 🔬 Analysis
🔗 Original article: https://labs.k7computing.com/index.php/android-spyware-alert-fake-government-app-targeting-android-users-in-india/
Detailed technical analysis of a fake Android government app dropper/stealer using anti-analysis, multi-stage payloads, and advanced data theft and persistence techniques.
🛡️ CVE | 📡 IoT | 💣 RCE | 🌐 Web
🔗 Original article: https://www.pentestpartners.com/security-blog/fire-detection-system-been-pwned-youre-not-going-to-sea/
Critical unpatched SSH and VNC credential flaws in Consilium CS5000 fire panels (CVE-2025-46352, CVE-2025-41438) allow remote takeover and disabling of fire detection. Only network and physical controls can mitigate risk.
🤖 AI | 🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://trustedsec.com/blog/teaching-a-new-dog-old-tricks-phishing-with-mcp
Shows how to use custom MCP servers and Claude AI to automate and personalize phishing, including code, config, and workflow for scalable, targeted attacks.
💣 Malware | 🛠️ Tool | 🔨 Rust | 💻 Windows
🔗 Original article: https://bishopfox.com/blog/rust-for-malware-development
Step-by-step guide to Rust malware: process enumeration, stealthy remote mapping injection, and C2 staging with Sliver. Full code, commands, and reverse engineering challenges included.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 📡 IoT
🔗 Original article: https://github.com/0xAwali/WebSocketChecker
WebSocketChecker is a Burp Suite extension that scans WebSocket messages for leaked secrets and credentials using regex, helping security professionals detect and prevent sensitive data exposure in real time.
🛡️ Malware | 🛠️ Obfuscation | 💻 .NET | 🔎 ThreatIntel
🔗 Original article: https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
Malware campaign hides .NET payloads in bitmap resources, using multi-stage loaders and advanced obfuscation to deliver Agent Tesla, XLoader, and Remcos RAT. Includes technical unpacking steps, IoCs, and detection tips.
🛠️ Tool | 💣 RCE | 🌐 Web | 🛡️ CVE
🔗 Original article: https://www.synacktiv.com/publications/outils-open-source-des-attaquants-exploitant-ivanti-csa.html
Deep technical review of suo5, iox, and atexec-pro tools used post-Ivanti CSA exploitation. Includes usage, code, detection (YARA/Sigma), and impact for defenders.
🛠️ Tool | 🌐 Web | 💣 Red Team | 📡 Network
🔗 Original article: https://github.com/art3x/ascan_sliver
ArtScan is a 20 KB C-based port scanner for Sliver C2, supporting threaded IP/port scans, ping sweeps, NetBIOS lookups, and banner grabbing. It enables fast, stealthy network recon for red teams.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
CVE-2023-23397 lets attackers steal NTLM credentials via malicious Outlook calendar invites using UNC paths, enabling privilege escalation with minimal user action.
🦠 Malware | 💉 Social Engineering | 🛡️ Threat Intel | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
Lampion malware uses ClickFix lures and multi-stage, obfuscated VBS scripts to steal banking data via phishing and social engineering. The campaign employs advanced evasion, scheduled tasks, and large payloads. High risk for targeted sectors.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-sql-server-crypto-detour-5ff9ac7033de?source=rss----f05f8696e3cc---4
Shows how to extract or brute-force SQL Server encryption keys, revealing a hardcoded DMK password in ManageEngine ADSelfService Plus, allowing attackers to decrypt sensitive data from backups.
📡 IoT | 🛡️ CVE | 💣 RCE | 💉 XSS
🔗 Original article: https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-gmbh-revolution-pi-plc/
Four critical CVEs in Revolution Pi PLC allow unauthenticated RCE, authentication bypass, and XSS, enabling full device compromise, root access, and industrial process control.
🛠️ Tool | ⛓️ Active Directory | 💣 PrivEsc | 🛡️ PoC
🔗 Original article: https://github.com/logangoins/SharpSuccessor
SharpSuccessor is a .NET PoC tool that automates privilege escalation in Active Directory via the BadSuccessor attack, weaponizing dMSA objects to gain Domain Admin from low-privileged users.
🛠️ Tool | 🌐 Web | 🔑 Secrets | 🛡️ Pentest
🔗 Original article: https://github.com/vsec7/BurpSuite-Xkeys
BurpSuite-Xkeys is a Burp Suite extension that passively scans HTTP responses for exposed secrets (keys, tokens, credentials), helping identify sensitive data leaks in web applications.
🛡️ CVE | 🌐 Web | 💻 Tool | 📡 IoT
🔗 Original article: https://research.checkpoint.com/2025/2nd-june-threat-intelligence-report/
Covers Chrome CVEs (RCE), WordPress plugin exploits (SQLi, XSS), a $12M DeFi hack, IoT botnet (PumaBot), and law enforcement's takedown of Lumma Infostealer using a Dell iDRAC flaw.
🛠️ Tool | 📡 IoT | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/3/14/building-an-electric-vehicle-simulator-to-research-evses
A detailed guide to building an EV simulator for J1772 chargers, enabling researchers to trigger and test EVSE charging states for security research and exploit development.
🛡️ CVE | 💣 RCE | 🔨 Tool | 💻 Windows
🔗 Original article: https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
CVE-2024-21111 lets any local user on Windows escalate to SYSTEM by abusing VirtualBox log file handling, directory permissions, and Windows symlink/junction tricks.
📱 Android | 🛠️ Tool | 🧪 Pentest | 🔒 Frida
🔗 Original article: https://github.com/Brut-Security/BrutDroid/
BrutDroid automates Android emulator rooting, Frida setup, SSL pinning/root detection bypass, and Burp cert install for efficient app pentesting and dynamic analysis.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-exploit-details-blog
CVE-2024-53704 lets attackers hijack any active SSL VPN session on unpatched SonicWall firewalls, granting full internal access without credentials. Patch immediately.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 💻 Windows
🔗 Original article: https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventure-5-regf.html
Deep technical dive into the Windows Registry 'regf' file format, highlighting structure, key fields, and real-world vulnerabilities (with CVEs), plus actionable exploitation and fuzzing tips.
🌐 Web | 🛡️ Bypass | 💻 Tool | 💰 Bug Bounty
🔗 Original article: https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/
Step-by-step technical guide to bypassing SharePoint Restricted View using OCR, Copilot AI, browser tweaks, and HTML/script extraction, with code and actionable instructions.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ CVE
🔗 Original article: https://freedium.cfd/https://medium.com/@thelazypentester/automating-authenticated-scans-in-burp-suite-for-2fa-applications-ae93882e26c9
Step-by-step guide to automating Burp Suite scans for 2FA-protected apps, covering session handling, macro setup, 2FA automation, and debugging.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠 Tool
🔗 Original article: https://blog.rapid7.com/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/
Three CVEs in MICI NetFax (<3.0.1.0) allow RCE as root via default credential leaks, password exposure, and command injection. Exploitation is straightforward and critical; no patch is available.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/3/11/the-march-2025-security-update-review
March 2025 Patch Tuesday fixes 67 CVEs in Microsoft and Adobe products, including several actively exploited RCE and EoP bugs. Key attack vectors: malicious files, VHDs, and privilege escalation. Immediate patching is recommended.
🛠️ Tool | ⛓️ Active Directory | 💻 Post-Exploitation | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/2025-red-team-tools-c2-frameworks-active-directory-network-exploitation
A technical roundup of top red team tools for C2, Active Directory, and network exploitation, detailing their features, attack capabilities, and impact for advanced offensive security operations.
🛡️ CVE | 💣 LPE | 🌐 Windows | 🔨 Exploit
🔗 Original article: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
CVE-2025-21204 lets local users escalate to SYSTEM by abusing NTFS junctions in the Windows Update Stack. Exploitation is simple, stealthy, and uses only native tools. Patch immediately and monitor for suspicious junctions and file writes.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 🔧 Tool
🔗 Original article: https://www.yeswehack.com/news/middleware-mayhem-zoolander-malta
Covers CVE-2025-29927 (Next.js auth bypass), bug bounty trends, technical exploitation guides (HTTP, GraphQL, prototype pollution), and new security tools. Highly technical and actionable for security professionals.
🌐 Web | 🛡️ WAF | 💉 Injection | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie
Shows how legacy cookie attributes and quoted-string encoding can bypass WAFs, enabling injection attacks. Includes code, examples, and Burp Suite automation for security testing.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ CVE
🔗 Original article: https://sensepost.com/blog/2025/golaps/
goLAPS is a Golang tool for reading and setting LAPS passwords in Active Directory, enabling automated password management and highlighting risks from weak LAPS permissions.
📡 IoT | 🛠️ Reverse Engineering | 🛡️ Vulnerability | 💣 Buffer Overflow
🔗 Original article: https://www.synacktiv.com/publications/analyse-dun-decodeur-tnt.html
Deep technical analysis of a DVB decoder: firmware extraction, IR protocol bugs, and buffer overflows in DVB table parsing. Overflows are not exploitable, but the post is highly educational for IoT security.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/30/insecure-credential-storage-plagues-mcp/
MCP tools often store API keys in plaintext, world-readable files, making them easy targets for local attackers or malware. This exposes sensitive data and services to full compromise.
🛡️ Malware | 🛠️ Tool | 💰 Infostealer | 🌐 Phishing
🔗 Original article: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
DarkCloud Stealer uses obfuscated AutoIt scripts in a multi-stage phishing attack to steal credentials, browser data, and more, evading detection with advanced anti-analysis and persistence techniques.
☁️ Cloud | 🔗 DNS | 🛡️ CVE | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/azure-openai-dns-resolution/
A DNS misconfiguration in Azure OpenAI let multiple tenants share a domain that resolved to an external IP, risking cross-tenant data leaks and MitM attacks. Microsoft quickly fixed the issue.
💣 RCE | 🌐 Web | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://medium.com/immunefi/sky-remote-code-execution-bugfix-review-9bfbeb8c1c17?source=rss----6cdc579be8a0---4
Critical RCE in vote.makerdao.com via gray-matter Markdown parsing let attackers run system commands. Fixed by disabling JS engine. Severity: Critical.
🛠️ Tool | 📱 Android | 🔬 Reverse Engineering | 🧩 Binary Analysis
🔗 Original article: https://eshard.com/posts/frida-tracer-lightweight-time-travel-analysis
Shows how to use Frida to collect lightweight time travel traces on real Android devices, enabling efficient, focused reverse engineering and debugging of native code.
🛡️ Active Directory | 🛠️ Tool | 🌐 Web | 💣 Detection Evasion
🔗 Original article: https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
Technical guide on evading detection during Active Directory enumeration. Covers LDAP/ADWS telemetry, tool analysis, detection rules, and OpSec tradecraft for red teams, with actionable code and examples.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔨 Exploit
🔗 Original article: https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
CVE-2025-31324 is a critical unauthenticated RCE in SAP NetWeaver Visual Composer, exploited via arbitrary file upload. Attackers deploy web shells and reverse shells for full system control. Exploitation is easy and widespread. Patch and monitor immediately.
🌐 Web | 💣 RCE | 🛡️ NTLM | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
NTLMv1 credentials can be relayed to WinRMS (HTTPS) for RCE if channel binding is not enforced. Exploit uses NTLMRelayX and crafted XML. Mitigate by disabling NTLMv1 and enforcing channel binding.
🌐 Web | 🛡️ CVE | 💣 Auth Bypass | 🛠️ Next.js
🔗 Original article: https://www.offsec.com/blog/cve-2025-29927/
Critical Next.js bug (CVE-2025-29927) lets attackers bypass middleware auth by spoofing the x-middleware-subrequest header. Upgrade Next.js or block the header to mitigate.
🛡️ Windows | 🛠️ Tool | 💣 Exploit | 💻 Kernel
🔗 Original article: https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html
Windows 11 24H2 lets any user run a local fake SMB server on a custom port, enabling reliable local kernel TOCTOU exploitation without admin rights.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://trustedsec.com/blog/full-disclosure-graphghost-are-you-afraid-of-failed-logins
GraphGhost let attackers confirm valid passwords in Azure Entra ID by exploiting post-auth checks, while logs showed only failed logins. Microsoft fixed this in April 2025.
🛡️ CVE | 🖥️ Windows | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html
Step-by-step guide to exploiting Windows registry hive memory corruption for privilege escalation and RCE, with CVEs, attack steps, WinDbg usage, and real-world impact.
🛠️ Tool | 🌐 Web | 🛡️ Secrets | 💰 Bug Bounty
🔗 Original article: https://trufflesecurity.com/blog/introducing-trufflehog-s-burp-suite-extension-a-techical-deep-dive
TruffleHog's Burp Suite extension scans HTTP traffic for secrets (API keys, credentials) in real time, automating detection and verification to prevent leaks. Integrates TruffleHog CLI with Burp Suite for web security testing.
📡 IoT | 🌐 Web | 🛡️ CVE | 💣 RCE
🔗 Original article: https://www.pentestpartners.com/security-blog/fully-segregated-networks-your-dual-homed-devices-might-disagree/
Dual-homed devices in OT/ICS can be exploited to bypass network segmentation, enabling lateral movement via default creds, outdated firmware, and exposed services. Attackers can pivot across critical networks, risking severe operational and safety impact.
🌐 Web | 💰 Bug Bounty | 🛠️ Tool | 🛡️ Recon
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/recon-hackers-guide-google-dorking
A technical guide to Google dorking for bug bounty, with detailed search operators, example queries, and workflow for finding exposed files, credentials, and login portals.
🌐 Web | 💉 XSS | 🛡️ CVE | 🔨 Exploit
🔗 Original article: https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
The "cookie sandwich" attack abuses legacy cookie parsing, XSS, and CORS issues to steal HttpOnly cookies, enabling session hijacking even when cookies are marked as HttpOnly.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://research.checkpoint.com/2025/26th-may-threat-intelligence-report/
Covers critical CVEs in Firefox, WordPress, and Versa Concerto, Docker cryptojacking, SEO poisoning with Bumblebee malware, and Kling AI impersonation. Includes technical details and exploitation methods.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/12th-may-threat-intelligence-report/
Critical CVEs in Android, Kibana, WordPress, and Samsung MagicINFO are under active attack. Exploitation details, PoCs, and attack vectors are provided. Also covers credential leaks and advanced phishing targeting crypto users.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Deep dive into BLASTPASS: how a WebP heap overflow (CVE-2023-41064/4863) and PKPass parsing bug (CVE-2023-41061) enabled zero-click RCE on iOS via heap grooming and a crafted binary plist.
🌐 Web | 🛡️ CVE | 💉 XSS | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/09/the-not-so-pleasant-password-manager/
Critical unauthenticated XSS (CVE-2023-27121) in Pleasant Password Server enables full credential theft. Exploit, PoC, and DB decryption methods are detailed.
🛡️ CVE | 🛠️ Tool | 💻 macOS | 💣 RCE
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html
A step-by-step technical guide to fuzzing macOS coreaudiod via Mach IPC, covering harness creation, reverse engineering, and debugging for sandbox escape research.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
CVE-2024-44236 is a critical out-of-bounds write in macOS sips, exploitable via crafted ICC Profile files, leading to remote code execution. Patch immediately.
🛠️ Tool | 💣 Evasion | 🛡️ Red Team | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/
Nighthawk 0.2.6 adds advanced EDR evasion: call stack masking, in-memory execution, module stomping, stealthy screenshot capture, custom loader generation, and EDR network blocking. Highly technical, aimed at red teams.
🛠️ Tool | 🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://github.com/RedTeamPentesting/wspcoerce
wspcoerce exploits MS-WSP over SMB to force Windows hosts to authenticate to attacker servers, enabling NTLM relay and domain escalation attacks.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔨 Bug Bounty
🔗 Original article: https://www.yeswehack.com/news/airborne-airplay-deleted-files-slop
Technical roundup: GitHub secret hunting, Apple AirPlay RCE ('Airborne'), CSWSH mitigations, ASUS driver RCE, iPhone bricking, VS Code ASCII exploit, Python file write to RCE, and fuzzing WebSockets. Includes actionable attack vectors and exploitation steps.
📱 iOS | 🛡️ PAC | 🛠️ Reverse Engineering | 💣 Bug
🔗 Original article: https://www.synacktiv.com/publications/ios-184-dlsym-considered-harmful.html
A deep technical analysis of an iOS 18.4 bug where dlsym() returns invalid PAC-signed pointers for some symbols (like strcmp), causing crashes on PAC-enabled devices.
🛡️ CVE | 💉 Credential Theft | 🔨 Tool | 🌐 Web
🔗 Original article: https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/
The post shows how attackers can intercept and crack VNC passwords using packet sniffing and a Python script, due to lack of encryption and weak authentication.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Critical unauthenticated RCE in CraftCMS (CVE-2025-32432) via Yii behavior injection. Attackers exploit image transform endpoint to execute arbitrary PHP, upload webshells, and overwrite files. Full technical details, code, and detection tips provided.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://boostsecurity.io/blog/weaponizing-dependabot-pwn-request-at-its-finest
Shows how attackers can exploit GitHub Dependabot workflows to auto-merge malicious code, inject commands, and bypass branch protections using advanced 'Confused Deputy' techniques.
🛠️ Tool | 🌐 Web | 📡 Recon | 🛡️ OSINT
🔗 Original article: https://github.com/Elite-Security-Systems/radar
RADAR is a DNS reconnaissance tool that identifies technologies and services via DNS records, aiding security pros in mapping attack surfaces and automating asset discovery.
🌐 Web | 🛡️ CVE | 💣 RCE | 💉 XSS
🔗 Original article: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
A technical roundup of 2024's top web hacking techniques, including new attacks on OAuth, HTTP request smuggling, SQLi, XSS, and Apache, with detailed exploitation steps, CVEs, and actionable insights.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
Pwn2Own Berlin 2025 Day Three: Researchers exploited zero-days in Windows, NVIDIA, Firefox, and VMware, demonstrating privilege escalation, VM escapes, and memory corruption. Technical vulnerability classes and impacts are detailed, but no exploit code or CVEs are provided.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/leakymetry-circumventing-glpi-authentication/
Critical unauthenticated session hijack in GLPI (CVE-2024-50339) via SCSS injection and file globbing. Exploit allows dashboard access and admin session takeover. Patch ASAP.
🌐 Web | 💣 RCE | 🛡️ Red Team | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2025/03/red-teaming-with-servicenow/
Step-by-step guide to abusing ServiceNow's legitimate features for RCE, credential theft, and privilege escalation. Includes code, commands, and attack details for Windows and Unix environments.
🛠️ Tool | 🌐 Web | 🤖 AI | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/document-my-pentest
Document My Pentest is a Burp Suite extension that uses AI and regex-based input reflection to automate and improve web pentest documentation, reducing manual work and false positives.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/5/13/the-may-2025-security-update-review
May 2025 Patch Tuesday fixes 40 Adobe and 75 Microsoft CVEs, including RCE and EoP bugs under active attack. Key CVEs: CVE-2025-30397 (RCE), CVE-2025-32701/32706/32709/30400 (EoP). Patch actively exploited vulnerabilities immediately.
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/tomcat-cve-2025-24813-what-you-need-to-know-blog
CVE-2025-24813 is an RCE chain in Tomcat requiring rare misconfigurations. Exploitation is unlikely for most, but patching and config review are advised.
🌐 Web | 💉 NoSQLi | 🛡️ MongoDB | 💣 Injection
🔗 Original article: https://sensepost.com/blog/2025/getting-rid-of-pre-and-post-conditions-in-nosql-injections/
Explains advanced MongoDB NoSQL injection techniques to bypass pre-conditions using syntax injection, $where, and duplicate keys, with practical payloads and a focus on impact and limitations.
🌐 Web | 💉 XSS | 🛡️ CVE | 🔧 Tool
🔗 Original article: https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows
Unicode overflow attacks use codepoint truncation to bypass input filters, enabling XSS and other exploits. The post explains the technique with code and tools.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/
Attackers can exploit unsanitized ANSI escape codes in MCP tools to hide malicious payloads, overwrite output, clear screens, and phish users, enabling covert RCE and supply chain attacks in terminal-based AI agents.
🌐 Web | 🛡️ CVE | 💉 JWT | 💣 Exploitation
🔗 Original article: https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-guide
A hands-on guide to exploiting JWT vulnerabilities: signature bypass, none algorithm, weak secrets, algorithm confusion, kid injection, embedded JWK (CVE-2018-0114), JKU/X5U abuse, and Java ECDSA bug (CVE-2022-21449). Includes code, attack steps, and mitigations.
🛠️ Tool | 🌐 Web | 💣 Red Team | 📡 Network
🔗 Original article: https://github.com/django-88/NomadScanner
NomadScanner is a stealthy, in-memory Windows port scanner for red teams, supporting advanced evasion, custom payloads, and randomized HTTP probes. Highly OPSEC-safe for authorized network reconnaissance.
🌐 Web | 🛡️ CVE | 💣 RCE | 🔒 Data Theft
🔗 Original article: https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/
Malicious MCP tool descriptions can silently exfiltrate entire LLM chat histories using trigger phrases, enabling persistent, stealthy data theft from AI chat environments.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ Auth
🔗 Original article: https://github.com/forteBruno/Token-Tailor
Token Tailor automates JWT/Basic token renewal in Burp Suite, ensuring uninterrupted authenticated testing and tool integration. Ideal for web security professionals.
🛠️ Tool | 🌐 Web | 💣 PrivEsc | 💰 Bug Bounty
🔗 Original article: https://gist.github.com/snovvcrash/a1ae180ab3b49acb43da8fd34e7e93df
Python PoC for extracting dMSA secrets in Active Directory using Kerberos tickets. Enables privilege escalation by automating dMSA key extraction. Useful for red teamers and defenders.
📱 Mobile | 🛠️ Tool | 🔓 Jailbreak | 🔧 Exploit
🔗 Original article: https://www.pentestpartners.com/security-blog/how-to-load-unsigned-or-fake-signed-apps-on-ios/
Step-by-step guide to loading unsigned/fake-signed iOS apps using AppSync Unified, AltStore, Sideloadly, and TrollStore. Covers jailbreak, exploits, and security impact for penetration testers.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
Technical walkthrough of exploiting CVE-2023-48409 on Pixel 6 Pro: integer overflow in Mali GPU driver enables kernel RCE via heap underflow, pagetable spraying, and bypass of Android security.
🌐 Web | 🛡️ CVE | 💣 SSRF | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet
New URL validation bypass payloads use advanced IP encodings, userinfo parsing tricks, and CORS bypasses to exploit SSRF, open redirect, and CORS misconfigurations.
deep valeBOT
💰 Bug Bounty | 🛡️ CVE | 🌐 Web | 🔑 Auth
🔗 Original article: https://github.blog/security/vulnerability-research/cybersecurity-spotlight-on-bug-bounty-researcher-ammar-askar/
Ammar Askar discovered CVE-2023-23761, a GitHub SSH certificate flaw allowing unauthorized Gist edits. The post details his technical approach to privilege escalation and bug bounty research.
🛠️ Tool | 🛡️ EDR | 💣 Evasion | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/
Nighthawk 0.2.6 adds advanced EDR evasion: call stack masking, in-memory PE execution, module stomping, stealthy screen capture, a flexible loader generator, and FireBlock to block EDR telemetry.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
NTLMv1 relay to WinRMS (HTTPS) enables RCE if Channel Binding is not set to 'Strict'. Exploit uses NTLMRelayX and crafted XML. Mitigate by enforcing strict channel binding.
🛡️ Active Directory | 🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
Comprehensive guide to stealthy Active Directory enumeration, detection evasion, and OpSec for red teams, with detailed tool analysis, detection bypass, and advanced LDAP/ADWS tradecraft.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://www.yeswehack.com/news/middleware-mayhem-zoolander-malta
CVE-2025-29927 in Next.js allows easy auth bypass. Blog covers technical guides on HTTP fingerprinting, payload obfuscation, header exploitation, GraphQL hacking, a CTF on prototype pollution, and new tools for web security.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://github.com/0xAwali/WebSocketChecker
WebSocketChecker is a Burp Suite extension that scans WebSocket messages for leaked secrets (API keys, tokens, credentials) using regex, helping security pros and bug hunters detect sensitive data exposure in real time.
🌐 Web | 💣 RCE | 🛡️ CVE | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2025/03/red-teaming-with-servicenow/
Step-by-step guide to abusing ServiceNow features for RCE, credential theft, and persistence. Includes code, commands, and attack chains for red teamers, showing high-impact risks from legitimate admin access.
🌐 Web | 💉 Prompt Injection | 🛡️ Protocol | 💣 RCE
🔗 Original article: https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/
A critical MCP flaw lets malicious servers inject prompt-based attacks via tool descriptions, enabling stealthy code execution and data exfiltration before any tool is invoked.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/practical-guide-path-traversal-attacks
A comprehensive, step-by-step guide to path traversal attacks, including detection, exploitation, bypass techniques, real-world CVEs, and effective mitigations for web and API vulnerabilities.
🛡️ CVE | 💣 RCE | 🌐 Web | 💻 Infostealer
🔗 Original article: https://research.checkpoint.com/2025/5th-may-threat-intelligence-report/
Multiple RCE, command injection, and supply chain vulnerabilities (SonicWall, Apple AirPlay, NVIDIA Riva, Magento) are actively exploited. Botnets and infostealers target Linux and web platforms. Exploitation steps and impacts are detailed.
🌐 Web | 🛡️ AppSec | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://trustedsec.com/blog/appsec-cheat-sheet-session-management
Step-by-step guide to finding and exploiting web session management flaws, including token predictability, fixation, destruction, and use of Burp Suite tools for analysis.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://research.checkpoint.com/2025/19th-may-threat-intelligence-report/
Critical RCE flaws in SAP NetWeaver (CVE-2025-31324/42999) and Fortinet (CVE-2025-32756) are exploited in the wild. Chrome (CVE-2025-4664) faces a cross-origin data leak. Patch all systems urgently.
🛡️ CVE | 💣 RCE | 🔨 Tool | 💻 Windows
🔗 Original article: https://xbz0n.sh/blog/adcs-complete-attack-reference
Step-by-step technical guide to exploiting ADCS (ESC1-ESC16) for privilege escalation and persistence, with code, commands, and real-world attack examples.
💣 RCE | 🛡️ CVE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html
Chained stack overflow and out-of-bounds write in NWN:EE multiplayer allow remote code execution. Exploit includes ASLR bypass and ROP. Full PoC and technical details are provided.
📱 Android | 🦠 Malware | 🕵️ Spyware | 🔒 Stealer
🔗 Original article: https://labs.k7computing.com/index.php/android-spyware-alert-fake-government-app-targeting-android-users-in-india/
Fake 'PM KISAN YOJNA' Android app uses dropper and stealer, abuses permissions, evades analysis, steals PII and SMS, and exfiltrates data. High risk and advanced stealth.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed1616?source=rss----f05f8696e3cc---4
Shows how to extract and decrypt SCCM forest discovery credentials using debugging, PowerShell, and API access, enabling attackers to escalate privileges and move laterally.
🌐 Web | 🛡️ NoSQLi | 🧩 MongoDB | 💉 Injection
🔗 Original article: https://sensepost.com/blog/2025/getting-rid-of-pre-and-post-conditions-in-nosql-injections/
Explains advanced MongoDB NoSQL injection: bypass pre-conditions using JSON key duplication and $where clause injection, with detailed payloads and impact.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/news/airborne-airplay-deleted-files-slop
Technical roundup: GitHub secret hunting, Apple AirPlay RCE bugs, CSWSH, and other recent exploits, with actionable steps and impact for security pros.
🌐 Web | 🛡️ Bypass | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/
Step-by-step guide to bypassing SharePoint Restricted View using OCR, Copilot AI, browser and script tricks for TXT, PPTX, and XLSX files. Includes code and actionable methods.
🛠️ Tool | 🌐 Web | 🛡️ Secrets | 💰 Bug Bounty
🔗 Original article: https://trufflesecurity.com/blog/introducing-trufflehog-s-burp-suite-extension-a-techical-deep-dive
TruffleHog's Burp Suite extension scans HTTP traffic for live secrets (API keys, passwords), automating credential leak detection for web security testing and bug bounty hunting.
🛠️ Tool | ⛓️ Active Directory | 💣 Network | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/2025-red-team-tools-c2-frameworks-active-directory-network-exploitation
A technical overview of top red team tools for C2, Active Directory, and network exploitation, including Sliver, Cobalt Strike, Metasploit, BloodHound, and more. Essential for simulating attacks and testing enterprise security.
🛡️ Windows | 💣 Exploitation | 🛠️ Tool | 💻 Kernel
🔗 Original article: https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html
Windows 11 24H2 lets any user run a fake SMB server on a custom port, enabling local exploitation of kernel TOCTOU bugs and expanding privilege escalation risks.
🛠️ Tool | 🌐 Web | 📡 IoT | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-decrypting-sonicosx-firmware
Step-by-step guide to decrypting SonicWall SonicOSX firmware, including key extraction, decryption scripts, and the open-source Sonicrack tool for automated analysis.
🛠️ Tool | 📱 Android | 💉 Frida | 🛡️ Root
🔗 Original article: https://github.com/Brut-Security/BrutDroid/
BrutDroid automates Android emulator rooting, Frida setup, and SSL/root bypasses, streamlining advanced app security testing and dynamic analysis for pentesters and researchers.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/28th-april-threat-intelligence-report/
Critical zero-days in SAP NetWeaver (CVE-2025-31324), Craft CMS, and Yii (CVE-2025-32432, CVE-2024-58136) enable RCE and data theft. The xrpl.js NPM package was backdoored for crypto theft. Patch, audit, and rotate credentials immediately.
🔥 Malware | 📝 Social Engineering | 🛡️ Obfuscation | 💻 Windows
🔗 Original article: https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
Lampion malware uses ClickFix lures and multi-stage, obfuscated VBS scripts to steal banking info. The attack chain starts with phishing, uses PowerShell, and evades detection with complex execution and large payloads.
🛡️ CVE | 🌐 Web | 💣 DoS | 📡 IoT
🔗 Original article: https://bishopfox.com/blog/sonicwall-sonicos-versions-7-1-x-and-8-0-x
Remote unauthenticated DoS (CVE-2025-32818) in SonicWall SonicOS SSL VPN lets attackers crash and reboot devices via crafted HTTP POST, causing service outages. Upgrade to 7.2.0/8.0.1 or disable SSL VPN.
📱 Android | 🌐 Web | 💰 Bug Bounty | 🛡️ Data Leak
🔗 Original article: https://ndevtk.github.io/writeups/2025/06/06/android-leak/
Android lock screen race condition allows attackers to leak sensitive app content and install apps by launching apps from the lock screen using deeplinks, USB keyboards, or Gboard.
🛠️ Tool | 🛡️ Windows | 🔨 Registry | 💰 Bug Bounty
🔗 Original article: https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.html
Explains new stealthy Windows secrets extraction tools (regsecrets.py, dpapidump.py) that evade EDR by using advanced registry access, avoiding disk writes and noisy actions.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ Auth
🔗 Original article: https://github.com/forteBruno/Token-Tailor
Token Tailor automates JWT/Basic token renewal in Burp Suite, ensuring uninterrupted authenticated testing by intercepting and updating expired tokens for all HTTP traffic, including from tools like SQLMap.
🌐 Web | 💉 XSS | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
Explains the 'cookie sandwich' technique to steal HttpOnly cookies by abusing legacy cookie parsing, XSS, and cookie reflection. Includes code, real-world attack steps, and mitigation advice.
🛠️ Tool | 🌐 Web | 🤖 AI | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/document-my-pentest
Burp Suite's "Document My Pentest" automates pentest documentation using AI and regex-based input reflection detection, improving accuracy and reducing manual effort in web vulnerability reporting.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 🛡️ CVE
🔗 Original article: https://sensepost.com/blog/2025/golaps/
goLAPS is a Golang tool for extracting and setting LAPS passwords in Active Directory, enabling privilege escalation if domain credentials are available.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
CVE-2023-26258 allows attackers to bypass authentication and gain RCE in ArcServe UDP Backup. The post details exploitation, credential extraction, decryption, and provides tools and code for full compromise.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔨 Exploit
🔗 Original article: https://research.checkpoint.com/2025/21st-april-threat-intelligence-report/
Covers NTLM hash disclosure (CVE-2025-24054), iOS RCE flaws, Oracle's 378 CVEs, new WTH process injection, BYOVD ransomware, and major breaches exploiting technical vulnerabilities.
🌐 Web | 🛡️ CVE | 💣 Auth Bypass | 🛠️ Tool
🔗 Original article: https://www.offsec.com/blog/cve-2025-29927/
Critical Next.js bug (CVE-2025-29927) lets attackers bypass middleware auth by spoofing the x-middleware-subrequest header. Upgrade Next.js or block the header to mitigate.
🌐 Web | 💉 XSS | 🛡️ CVE | 🔧 Tool
🔗 Original article: https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows
Unicode overflow attacks let attackers bypass input filters by using high codepoints that truncate to forbidden ASCII characters, enabling XSS and other exploits.
🌐 Web | 💣 RCE | 🛡️ Defense | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/browser-cache-smuggling-the-return-of-the-dropper/
Browser Cache Smuggling abuses browser cache and DLL hijacking in user-writeable directories to achieve stealthy RCE. Includes detailed exploitation steps and actionable defenses.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.offsec.com/blog/cve-2025-24893/
Critical unauthenticated RCE in XWiki (CVE-2025-24893) via SolrSearch macro lets attackers run arbitrary Groovy code remotely. Exploit is trivial; patch immediately.
🛡️ Credential Access | 💣 Misconfiguration | 💰 Red Team | 🌐 Windows
🔗 Original article: https://trustedsec.com/blog/red-team-gold-extracting-credentials-from-mdt-shares
Misconfigured MDT shares often expose plaintext admin and domain credentials to any AD user, enabling easy privilege escalation and domain compromise.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/leakymetry-circumventing-glpi-authentication/
Critical unauthenticated SCSS injection in GLPI (CVE-2024-50339) enables session hijacking via file enumeration. Exploit chain, PoC, and mitigation steps are detailed.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 💻 Windows
🔗 Original article: https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
CVE-2024-20656 lets local users escalate to SYSTEM by abusing DACL resets in Visual Studio's diagnostic service. Exploitation uses junctions, symbolic links, and MSI repair. Patched in Jan 2024.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking.html
A new technique forces Windows SMB clients to fall back to WebDav, enabling HTTP-based NTLM/Kerberos relaying via multicast poisoning. This greatly enhances unauthenticated relay attacks in Active Directory.
🌐 Web | 💣 Malware | 🛠️ Tool | 💰 Infostealer
🔗 Original article: https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/
Fake Kling AI sites deliver disguised malware via ZIPs, using anti-analysis loaders and PureHVNC RAT to steal credentials and crypto wallet data. Advanced evasion and social engineering make this campaign highly dangerous.
📡 IoT | ⛏️ Reverse Engineering | 💥 Buffer Overflow | 📺 DVB
🔗 Original article: https://www.synacktiv.com/publications/analyse-dun-decodeur-tnt.html
Reverse engineering a Metronic DVB-T2 decoder revealed several buffer overflows in DVB table parsing, but none are exploitable due to memory layout and protocol constraints.
🛠️ Tool | 📱 Android | 💣 RCE | 🎯 CTF
🔗 Original article: https://thelicato.medium.com/droidground-elevate-your-android-ctf-challenges-69a5c479965e
DroidGround is a modular, open-source tool for building realistic Android CTFs, enabling hands-on practice with RCE, privilege escalation, and attack surface analysis using Frida, shell, and APK management.
🛠️ Tool | 🌐 Web | 🛡️ CVE | 💣 RCE
🔗 Original article: https://www.synacktiv.com/publications/outils-open-source-des-attaquants-exploitant-ivanti-csa.html
Technical analysis of suo5, iox, and atexec-pro tools used in Ivanti CSA attacks, with detailed usage, detection rules (YARA/Sigma), and forensic guidance for defenders.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://boostsecurity.io/blog/weaponizing-dependabot-pwn-request-at-its-finest
Shows how attackers can exploit GitHub Dependabot to auto-merge malicious code, inject commands, and bypass branch protections using advanced workflow and branch name manipulation.
🛠️ Tool | 🛡️ Active Directory | 🌐 BloodHound | 💰 Bug Bounty
🔗 Original article: https://github.com/cogiceo/GPOHound
GPOHound is a tool for extracting and analyzing Active Directory GPOs, revealing misconfigurations and credential exposures, and enriching BloodHound data for attack path analysis.
🌐 Web | 🛡️ CVE | 🔑 SAML | 💣 PrivEsc
🔗 Original article: https://portswigger.net/research/saml-roulette-the-hacker-always-wins
Chained round-trip and namespace confusion attacks on ruby-saml let attackers bypass SAML authentication and gain admin access to GitLab by exploiting XML parser inconsistencies.
🛡️ CVE | 📡 IoT | 💣 RCE | 💉 XSS
🔗 Original article: https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-gmbh-revolution-pi-plc/
Critical RCE and XSS flaws (CVE-2025-24522, -32011, -35996, -36558) in KUNBUS Revolution Pi PLC allow unauthenticated attackers to gain full control, including root access, via Node-RED and PiCtory vulnerabilities.
🌐 Web | 🛡️ AI | 💰 Bug Bounty | 🔒 Access Control
🔗 Original article: https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
Attackers can abuse Microsoft Copilot for SharePoint to bypass access controls, extract sensitive data, and evade detection by leveraging AI agents' search and summarization features.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://github.com/Geidalaodicha/burpGPTplus
burpGPTplus is a Burp Suite extension that uses GPT-3.5-turbo to automate web vulnerability analysis, focusing on OWASP Top 10 issues via passive and active HTTP traffic scanning.
🛠️ Tool | 📱 Mobile | 💰 Bug Bounty | 🌐 Web
🔗 Original article: https://sensepost.com/blog/2025/using-improving-frida-trace/
A technical guide to using and customizing frida-trace for large-scale method hooking and improved output in mobile app reverse engineering.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-sql-server-crypto-detour-5ff9ac7033de?source=rss----f05f8696e3cc---4
Shows how to decrypt SQL Server backups from ManageEngine ADSelfService Plus by exploiting weak, hardcoded DMK passwords, enabling offline extraction of sensitive credentials.
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
CVE-2025-31324 allows unauthenticated attackers to upload and execute malicious files on SAP NetWeaver, leading to remote code execution. Patch immediately and monitor for suspicious uploads.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/cve-2025-23016-exploiter-la-bibliotheque-fastcgi.html
CVE-2025-23016: Integer overflow in FastCGI (fcgi2) on 32-bit systems leads to heap overflow and RCE via function pointer overwrite. Full exploit and mitigation steps provided.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Critical unauthenticated RCE in CraftCMS (CVE-2025-32432) via image transform endpoint. Attackers exploit Yii behavior injection to upload web shells and fully compromise servers. Includes detailed payloads, code, and detection tips.
🌐 Web | 💣 RCE | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://www.openbugbounty.org/blog/how-i-found-a-zero-day-in-w3-schools/
Shows how W3Schools C Compiler's use of system() allows RCE via command injection, with PoC, impact, and mitigation steps.
⛓️ Web3 | 🛡️ CVE | 💰 Bug Bounty | 💣 RCE
🔗 Original article: https://medium.com/immunefi/top-3-bugs-from-the-thundernft-invite-only-program-373da9824cc9?source=rss----6cdc579be8a0---4
Three major ThunderNFT smart contract bugs: NFT theft via order update, ERC1155 quantity loss, and sellers blocked from accepting bids. All issues are now fixed.
🛠️ Tool | 🌐 Web | 🔑 Secrets | 🦡 BurpSuite
🔗 Original article: https://github.com/vsec7/BurpSuite-Xkeys
BurpSuite-Xkeys is a Burp Suite extension that passively scans HTTP responses to extract secrets, keys, and tokens, helping identify sensitive information leaks in web applications.
🌐 Web | 💣 RCE | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-41
Critical RCE in Ruby app: Regex validation bypass with multiline input lets attackers inject commands via IO.read. Payload: |cat ../../*.txt\nx reads sensitive files.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔨 Tool
🔗 Original article: https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
Critical unauthenticated RCE in SAP NetWeaver (CVE-2025-31324) allows arbitrary file upload via /metadatauploader, enabling web shell deployment and full system compromise. Exploitation is trivial and seen in the wild.
🌐 Web | 🛡️ CVE | 💉 XSS | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/09/the-not-so-pleasant-password-manager/
Critical XSS (CVE-2023-27121) in Pleasant Password Server enables unauthenticated credential theft. Post details exploitation, payloads, and offline decryption using hardcoded keys. Includes code and tool for extraction.
🛠️ Tool | 🛡️ CVE | ⛓️ Active Directory | 💣 PrivEsc
🔗 Original article: https://github.com/logangoins/SharpSuccessor
SharpSuccessor is a .NET tool that automates privilege escalation in Active Directory by abusing dMSA objects, letting low-priv users become Domain Admins if they have CreateChild rights.
🌐 Web | 💉 NoSQLi | 🛡️ Injection | 💣 Data Exfiltration
🔗 Original article: https://sensepost.com/blog/2025/nosql-error-based-injection/
Shows how to use error-based NoSQL injection to quickly exfiltrate full MongoDB documents by injecting JavaScript that triggers error messages containing sensitive data.
🌐 Web | 🛡️ Kerberos | 🛠️ Tool | 💣 Relay
🔗 Original article: https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with.html
Shows how to relay Kerberos over HTTP using LLMNR poisoning with Responder and krbrelayx, enabling pre-auth attacks on AD HTTP services. Includes full exploitation steps, tool usage, and mitigations.
🛠️ Tool | 🛡️ CVE | 💣 RCE | 🔨 Binary
🔗 Original article: https://www.thezdi.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities
Shows how to use Binary Ninja's API to build data flow graphs and detect use-after-free/double-free bugs in binaries, with real CVE case studies and actionable code.
🛡️ CVE | 💣 PrivEsc | 🖥️ Windows | 🛠️ Tool
🔗 Original article: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
CVE-2025-21204 lets local users escalate to SYSTEM on Windows by abusing NTFS junctions in the Update Stack. Exploitation is simple, stealthy, and patched in April 2025. PowerShell PoC available.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.thezdi.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results
Pwn2Own Berlin 2025 Day Two revealed 20 new 0-days, including RCEs and privilege escalations in SharePoint, VMware ESXi, Firefox, Redis, and VirtualBox, using advanced techniques like bug chaining, integer overflow, OOB write, and UAF.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
CVE-2023-48409 in Pixel 6 Pro's Mali GPU driver enables kernel heap underflow, bypassing protections for local root. Exploit uses heap and pagetable manipulation for arbitrary kernel read/write.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Explains the BLASTPASS iOS zero-click exploit chain using CVE-2023-41064 (WebP heap overflow) and CVE-2023-41061 (PKPass parsing), with detailed heap grooming and payload delivery for RCE.
🦠 Malware | 🌐 Web | 📡 C2 | 💰 Cryptominer
🔗 Original article: https://unit42.paloaltonetworks.com/blitz-malware-2025/
Blitz is a two-stage Windows malware spread via backdoored game cheats, using Hugging Face Spaces for C2 and payload hosting. It enables keylogging, screenshots, DDoS, and cryptomining, with advanced anti-analysis and persistence techniques.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/
Attackers exploit unsanitized ANSI escape codes in MCP tools to hide malicious payloads, enabling covert supply chain attacks, RCE, and phishing. High risk for developer environments.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🌐 Web
🔗 Original article: https://github.com/kn0x0x/CVE-2025-32756-POC
Critical unauthenticated RCE in Fortinet (CVE-2025-32756) via stack buffer overflow in /remote/hostcheck_validate. Python PoC included. Patch immediately.
🛡️ CVE | 📡 IoT | 💣 RCE | 🌐 Web
🔗 Original article: https://www.pentestpartners.com/security-blog/fire-detection-system-been-pwned-youre-not-going-to-sea/
Consilium CS5000 fire panels have critical SSH and VNC credential flaws (CVE-2025-46352, CVE-2025-41438) enabling remote takeover and disabling of safety systems. No patch exists; network isolation is essential.
🌐 Web | 🛡️ WAF | 💉 Injection | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie
Shows how legacy $Version cookies, quoted strings, and parser quirks let attackers bypass WAFs and inject payloads, risking SQLi or command injection.
🛡️ CVE | 💣 RCE | 🌐 Windows | 💰 Bug Bounty
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html
Deep technical dive into Windows Registry vulnerabilities, showing how logic, memory, and error handling bugs enable privilege escalation and RCE. Includes CVEs, exploitation steps, and actionable research advice.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Shows how CVE-2023-23397 lets attackers steal NTLM hashes via Outlook reminders using UNC paths. Exploitation is easy and high impact.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💣 RCE
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html
A detailed guide to fuzzing macOS coreaudiod via Mach IPC, covering harness building, reverse engineering, and debugging to find sandbox escape vulnerabilities.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-exploit-details-blog
CVE-2024-53704 lets attackers hijack active SonicWall SSL VPN sessions remotely, gaining internal access without credentials. Exploitation is trivial; patching is urgent.
🔥 Malware | 🛡️ Threat Intel | 💻 Windows | 💾 Infostealer
🔗 Original article: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
DarkCloud Stealer uses obfuscated AutoIt scripts and multi-stage payloads to steal credentials and sensitive data. Delivered via phishing, it decrypts and executes payloads in memory, evades analysis, and persists on Windows systems.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://posts.specterops.io/do-you-own-your-permissions-or-do-your-permissions-own-you-c829a91f5e45?source=rss----f05f8696e3cc---4
Explains how BlockOwnerImplicitRights and explicit OWNER RIGHTS ACEs prevent AD object ownership abuse (CVE-2021-42291), and how BloodHound v7.1.0 models these to reduce false positives.
💣 RCE | 🌐 Web | 🛡️ Malware | 💻 Virtualization
🔗 Original article: https://www.synacktiv.com/publications/etude-de-cas-comment-hunters-international-et-ses-affilies-ciblent-vos-hyperviseurs.html
Hunters International used malvertising, RATs, and advanced scripting to compromise VMware ESXi, exfiltrate data, and deploy a Rust-based, obfuscated ransomware. The article details the full technical attack chain and ransomware internals.
🌐 Web | 💰 Bug Bounty | 🛠️ Tool | 🛡️ Recon
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/recon-hackers-guide-google-dorking
A technical guide to Google dorking for bug bounty recon, with detailed search operators, dork examples, and methods to find exposed subdomains, files, logins, and credentials.
🌐 Web | 🛡️ CVE | 💣 RCE | 🔨 Tool
🔗 Original article: https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-guide
A detailed, practical guide to exploiting and defending against major JWT vulnerabilities, including signature bypass, algorithm confusion, weak secrets, key injection, and real CVEs, with step-by-step technical examples and mitigations.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4?source=rss----f05f8696e3cc---4
Step-by-step guide to extracting and abusing Primary Refresh Token (PRT) cookies from Entra ID-joined Windows hosts to bypass MFA and access cloud/SSO resources using open-source tools.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 🌐 Web
🔗 Original article: https://www.thezdi.com/blog/2025/5/15/pwn2own-berlin-2025-day-one-results
Pwn2Own Berlin 2025 Day One: Multiple privilege escalation and sandbox escape exploits (UAF, integer overflow, OOB write, type confusion) were demonstrated on Linux, Windows, Docker, VirtualBox, and AI targets.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
CVE-2024-21111 in VirtualBox lets local users escalate to SYSTEM by abusing log file operations, directory junctions, and symbolic links. Exploit uses COM, opportunistic locks, and DLL hijacking.
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/tomcat-cve-2025-24813-what-you-need-to-know-blog
CVE-2025-24813 is an RCE chain in Tomcat requiring rare misconfigurations. Exploitation uses partial PUT and deserialization. Patch and review configs.
☁️ Cloud | 🛡️ CVE | 🔗 DNS | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/azure-openai-dns-resolution/
A DNS misconfiguration in Azure OpenAI let multiple tenants use the same custom domain, exposing sensitive data to an external IP. This enabled cross-tenant data leaks and MitM attacks. Microsoft has fixed the issue.
🛠️ Tool | 🌐 Web | 🤖 AI/ML | 💣 CAPTCHA
🔗 Original article: https://sensepost.com/blog/2025/capchan-solving-captcha-with-image-classification/
A technical guide to building 'capchan', a Python tool that automates CAPTCHA solving using image processing and neural networks, with full code, CTF examples, and ML fundamentals.
🛡️ CVE | 💣 RCE | 🍏 Apple | 🌐 Web
🔗 Original article: https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
CVE-2024-44236 is a critical RCE in macOS sips via crafted ICC Profile files, allowing out-of-bounds writes and code execution. Patch ASAP.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 💣 ATO
🔗 Original article: https://www.openbugbounty.org/blog/1120-ato-bug-in-twitters/
A logic flaw in Twitter let attackers with a hijacked session bypass password checks, delete/add phone numbers, and fully take over accounts by abusing a special 2FA setup URL.
🛡️ CVE | 💻 Windows | 💣 RCE | 🔧 Fuzzing
🔗 Original article: https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventure-5-regf.html
Deep technical dive into the Windows regf registry format, showing how its structure and parsing logic enable multiple CVEs. Explains exploitation, debugging, and fuzzing strategies.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/26th-may-threat-intelligence-report/
Critical CVEs in Firefox, WordPress, and Versa Concerto allow RCE and account takeover. Active Docker cryptojacking and SEO poisoning campaigns deliver malware. Immediate patching and monitoring are essential.
🛡️ CVE | 🌐 Web | 💣 AuthBypass | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
Critical SonicWall SSL VPN auth bypass (CVE-2024-53704) lets remote attackers hijack sessions using a base64-encoded null-byte cookie. Exploit is simple; patch immediately.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 🌐 Web
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html
Step-by-step exploitation of Windows registry hive memory corruption for privilege escalation, with CVEs, attack vectors, exploitation steps, and debugging commands.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
Pwn2Own Berlin 2025 Day Three featured advanced exploits against Windows, VMware, NVIDIA, and Firefox, including privilege escalation, VM escapes, and memory corruption. High-severity bugs were demonstrated, but no CVEs or code samples were disclosed.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/30/insecure-credential-storage-plagues-mcp/
MCP tools often store API keys in plaintext, world-readable files, making them easy targets for attackers. This high-severity issue can lead to full service compromise. Use secure storage and OAuth.
🛡️ CVE | 💣 PrivEsc | 🛠️ Tool | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
Shows how to extract privileged credentials from Symantec Management Agent (Altiris) using EvilAltiris, enabling privilege escalation and lateral movement via policy key manipulation and decryption.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/
The post shows how attackers can intercept and crack VNC passwords using packet sniffing and a Python script, due to lack of encryption and weak authentication in default VNC setups.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.rapid7.com/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/
Three CVEs in MICI NetFax Server allow RCE as root via default credential disclosure, password leakage, and command injection. Exploitation is straightforward and no patch is available.
🛠️ Tool | 🌐 Web | 🛡️ CVE | 💣 PrivEsc
🔗 Original article: https://gist.github.com/snovvcrash/a1ae180ab3b49acb43da8fd34e7e93df
PoC tool to extract AD Managed Service Account credentials via Kerberos, enabling privilege escalation.
🌐 Web | 🛡️ CVE | 💉 XSS | 💣 RCE
🔗 Original article: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
A technical summary of 2024's top web hacking techniques, covering OAuth hijacking, cache deception, XSS, request smuggling, and protocol-level SQLi, with clear exploitation steps and real-world impact.
⛓️ Web3 | 🛡️ CVE | 🛠️ Tool | 💣 RCE
🔗 Original article: https://blog.trailofbits.com/2025/05/30/a-deep-dive-into-axioms-halo2-circuits/
The post details critical under-constrained bugs and logic errors in Axiom's Halo2 ZKP circuits, showing how these could break proof soundness and system security. It provides technical insights and remediation steps for secure ZKP development.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💣 RCE
🔗 Original article: https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
Explains technical causes and exploitation of AD CS errors (PKINIT, EKU, CA trust, PADATA), with actionable steps, tool usage, and impact for privilege escalation in Active Directory.
🛠️ Tool | 🌐 Web | 🤖 AI
🔗 Original article: https://portswigger.net/bappstore/9952290f04ed4f628e624d0aa9dccebc
MCP Server is a Burp Suite extension that connects Burp to AI clients via the Model Context Protocol, enabling AI-driven security automation. No direct vulnerabilities, but data privacy must be considered.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/12th-may-threat-intelligence-report/
Critical CVEs in Android, Kibana, WordPress, and Samsung MagicINFO are under active attack. Exploitation can lead to full system compromise. Patch urgently and review privilege/access controls.
🛠️ Tool | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.bughunt.com.br/cobalt-strike/
Cobalt Strike is a red teaming tool often abused for real attacks, enabling stealthy C2, lateral movement, and data theft. The blog details its use in Brazil-Paraguay espionage and offers actionable defense tips.
🦠 Malware | 🛡️ Obfuscation | 🖼️ Steganography | 💻 Windows
🔗 Original article: https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
Malware hides payloads in .NET bitmap resources, using multi-stage loaders and advanced obfuscation to deliver Agent Tesla, XLoader, and Remcos RAT. Steganography and reflection help evade detection. Includes technical unpacking steps, IoCs, and analysis tips.
📡 IoT | 🛡️ CVE | 💣 Lateral Movement | 🌐 OT
🔗 Original article: https://www.pentestpartners.com/security-blog/fully-segregated-networks-your-dual-homed-devices-might-disagree/
Dual-homed devices in OT/ICS can be exploited for lateral movement, bypassing segmentation via default creds, outdated firmware, and exposed services. Attackers can pivot between networks, risking critical infrastructure.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.rapid7.com/2025/06/04/rapid7-q1-2025-incident-response-findings/
Q1 2025 saw attackers exploit MFA gaps, RDP, Fortinet (CVE-2024-55591), SimpleHelp RCEs, SEO poisoning, and BunnyLoader malware, with ransomware and data theft targeting manufacturing.
🌐 Web | 🛡️ CVE | 💣 RCE | 💻 PHP
🔗 Original article: https://fearsoff.org/research/roundcube
Critical RCE in Roundcube (CVE-2025-49113): Authenticated users can exploit PHP object deserialization in session handling to execute code. Full technical details and PoC included.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/
Malicious MCP servers can exfiltrate entire chat histories by injecting tool descriptions with trigger phrases, enabling stealthy, persistent data theft from LLM-based assistants.
🛠️ Tool | ⛓️ SMB | 🔨 MS-WSP | 💣 NTLM Relay
🔗 Original article: https://github.com/RedTeamPentesting/wspcoerce
wspcoerce exploits MS-WSP to force Windows machines to authenticate over SMB, enabling NTLM relay attacks (e.g., against AD CS) for privilege escalation.
💣 Malware | 🛠️ Tool | 🌐 Windows | 🧬 Evasion
🔗 Original article: https://bishopfox.com/blog/rust-for-malware-development
Step-by-step guide to building evasive Rust malware: process enumeration, stealthy injection, and C2 staging. Shows how Rust complicates reverse engineering and evades detection.
🌐 Web | 🛠️ Tool | 🔒 SSL Pinning | 💣 Frida
🔗 Original article: https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
Explains how to bypass SSL pinning in Flutter apps using reFlutter (static patching) and Frida (dynamic hooking), with detailed steps, code, and impact for effective HTTPS interception.
🌐 Web | 🛡️ CVE | 💉 LFI | 💣 Exploit
🔗 Original article: https://www.offsec.com/blog/cve-2024-2928/
CVE-2024-2928 is an LFI in MLflow (≤2.11.2) allowing unauthenticated file reads via URI fragment injection. Exploitable with raw HTTP tools. Upgrade to 2.11.3 to patch.
🌐 Web | 🛠️ Tool | 💰 Bug Bounty | 🤖 AI
🔗 Original article: https://trustedsec.com/blog/teaching-a-new-dog-old-tricks-phishing-with-mcp
Shows how to use custom MCP servers to automate AI-driven phishing reconnaissance and pretext creation, including code, setup, and attack workflow. High risk for social engineering.
🛠️ Tool | 🌐 Web | 📡 Recon | 🛡️ Security
🔗 Original article: https://github.com/Elite-Security-Systems/radar
RADAR is a fast, extensible DNS reconnaissance tool that identifies technologies and services via DNS records, aiding security assessments and attack surface mapping.
🛠️ Tool | 🌐 Web | 💣 Red Team | 📡 Network
🔗 Original article: https://github.com/django-88/NomadScanner
NomadScanner is a memory-only, stealthy Windows port scanner for red teams, featuring randomized HTTP probes, domain fronting, and advanced evasion to avoid detection and forensic analysis.
🛡️ CVE | 💻 Active Directory | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e?source=rss----f05f8696e3cc---4
NTLM relay attacks exploit weaknesses in Windows authentication, enabling attackers to escalate privileges and move laterally. The post details technical attack vectors, exploitation steps, mitigations, and BloodHound's new features for visualizing relay paths.
🛠️ Tool | 🌐 Web | 💣 Red Team | 📡 Pentest
🔗 Original article: https://github.com/art3x/ascan_sliver
ArtScan is a tiny, fast port scanner module for Sliver C2, supporting threaded scans, smart port selection, and NetBIOS/HTTP info gathering. Ideal for red team recon.
🛠️ Tool | 🌐 Web | 🤖 AI | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/shadow-repeater-ai-enhanced-manual-testing
Shadow Repeater is an AI-powered Burp Suite extension that auto-generates and tests payload variations, helping uncover XSS, path traversal, and novel web vulnerabilities missed by manual testing.
🌐 Web | 🛡️ CVE | 💣 SSRF | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet
New URL validation bypass payloads use IP encoding tricks, Unicode, userinfo parsing bugs, and CORS domain splitting to enable SSRF and open redirect attacks. Includes actionable payloads and tool updates.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://trustedsec.com/blog/full-disclosure-graphghost-are-you-afraid-of-failed-logins
GraphGhost let attackers confirm valid Azure AD passwords using error codes, while logs showed only failed logins. Microsoft fixed this in April 2025.
📱 Mobile | 🛠️ Tool | 🔓 Jailbreak | 🔧 Sideload
🔗 Original article: https://www.pentestpartners.com/security-blog/how-to-load-unsigned-or-fake-signed-apps-on-ios/
Step-by-step guide to loading unsigned iOS apps using AppSync, AltStore, Sideloadly, and TrollStore. Covers jailbreak and non-jailbreak methods, exploits, and security impacts.
🤖 AI | 💉 Prompt Injection | 💣 RCE | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/agentic-ai-threats/
Step-by-step technical guide to exploiting agentic AI apps (CrewAI, AutoGen) via prompt injection, RCE, SQLi, and more, with real payloads and actionable mitigations.
deep valeBOT
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 💻 Windows
🔗 Original article: https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
CVE-2024-21111 lets local users escalate to SYSTEM on Windows by abusing log file handling in VirtualBox. Exploit uses COM, oplocks, and directory junctions.
🌐 Web | 🛡️ CVE | 💾 LFI | 🧑💻 Exploit
🔗 Original article: https://www.offsec.com/blog/cve-2024-2928/
CVE-2024-2928 is an LFI in MLflow (≤2.11.2) allowing unauthenticated file reads via URI fragments. Exploitable with raw HTTP requests. Patch to 2.11.3.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
Pwn2Own Berlin 2025 Day Three revealed critical 0-days in Windows, Firefox, NVIDIA, and VMware, using techniques like integer overflow, race conditions, and buffer overflows for privilege escalation, VM escape, and RCE.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.thezdi.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results
Pwn2Own Berlin 2025 Day Two saw 0-day exploits in SharePoint, VMware ESXi, Firefox, Redis, and VirtualBox using auth bypass, deserialization, integer overflow, OOB write, and UAF, showing critical RCE and privilege escalation risks.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://boostsecurity.io/blog/weaponizing-dependabot-pwn-request-at-its-finest
Shows how attackers exploit GitHub Actions auto-merge for Dependabot to inject code or bypass branch protection, using Confused Deputy attacks and branch name injection. Includes step-by-step exploitation and mitigation.
🛡️ CVE | 💣 RCE | 🍏 Apple | 🌐 Web
🔗 Original article: https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
CVE-2024-44236 is a critical RCE in macOS's sips utility, triggered by crafted ICC Profile files exploiting an out-of-bounds write. Patch ASAP.
📱 Android | 🌐 Web | 💰 Bug Bounty | 🛡️ InfoLeak
🔗 Original article: https://ndevtk.github.io/writeups/2025/06/06/android-leak/
A race condition in Android's lock screen lets attackers leak app content or install apps via deeplinks, USB keyboards, or Gboard, exposing sensitive data.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/practical-guide-path-traversal-attacks
A hands-on guide to path traversal attacks: how to exploit, bypass filters, target valuable files, escalate to RCE, and defend against these critical vulnerabilities. Includes code, payloads, and real-world CVEs.
🌐 Web | 🛡️ CVE | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://trustedsec.com/blog/full-disclosure-graphghost-are-you-afraid-of-failed-logins
GraphGhost let attackers confirm valid Azure passwords via error codes, while logs showed only failed logins. Exploitation required crafted API requests. Microsoft fixed the issue by improving log accuracy.
🌐 Web | 🛡️ CVE | 💉 XSS | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/09/the-not-so-pleasant-password-manager/
Critical XSS (CVE-2023-27121) in Pleasant Password Server enables unauthenticated credential theft; weak crypto allows full DB credential recovery with host access.
🛠️ Tool | 🌐 Web | ⛓️ AD | 💣 PrivEsc
🔗 Original article: https://gist.github.com/snovvcrash/a1ae180ab3b49acb43da8fd34e7e93df
dMSASync.py automates extraction of AD dMSA credentials via Kerberos ticket abuse, enabling privilege escalation and lateral movement.
🌐 Web | 🛡️ Bypass | 💻 AI | 💰 Bug Bounty
🔗 Original article: https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/
Step-by-step guide to bypassing SharePoint Restricted View using OCR, Copilot AI, browser tricks, and script-based extraction. Includes code, browser config, and exploitation details.
🛡️ Active Directory | 🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
Comprehensive guide on stealthy Active Directory enumeration, detection evasion, and tool analysis for red teams, with actionable code, queries, and OpSec tips.
🛡️ CVE | 🛠️ Tool | 💻 macOS | 💣 RCE
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html
Shows how to fuzz macOS coreaudiod via Mach IPC for sandbox escapes, with full technical steps, reverse engineering, and open-source harness code.
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/tomcat-cve-2025-24813-what-you-need-to-know-blog
CVE-2025-24813 is an RCE chain in Tomcat, requiring rare misconfigurations. Patch Tomcat and review settings to prevent exploitation.
📱 Android | 🕵️ Spyware | 🦠 Malware | 🔬 Analysis
🔗 Original article: https://labs.k7computing.com/index.php/android-spyware-alert-fake-government-app-targeting-android-users-in-india/
Fake 'PM KISAN YOJNA' Android app uses advanced dropper, anti-analysis, and social engineering to steal personal data and SMS, evading detection and exfiltrating info to a C2 server.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/
The post shows how to intercept and crack VNC authentication using Wireshark and a Python script, exposing the risks of unencrypted VNC deployments.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Deep dive into the BLASTPASS iMessage exploit chain (CVE-2023-4863, CVE-2023-41064, CVE-2023-41061), showing how a WebP heap overflow and PKPass parsing bug enable zero-click RCE on iOS via advanced heap grooming.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.thezdi.com/blog/2025/5/15/pwn2own-berlin-2025-day-one-results
Live exploits at Pwn2Own Berlin 2025 targeted Windows 11, Red Hat Linux, Docker, VirtualBox, and AI platforms using UAF, integer overflow, OOB write, and type confusion, resulting in privilege escalation and VM/container escapes.
🌐 Web | 💰 Bug Bounty | 🛠️ Tool | 🛡️ Recon
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/recon-hackers-guide-google-dorking
A hands-on guide to Google dorking for bug bounty recon, showing how to use search operators to find subdomains, hidden files, login portals, and exposed credentials, with actionable queries and prevention tips.
🛠️ Tool | 🛡️ Windows | 💰 Bug Bounty | 🔑 Credentials
🔗 Original article: https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.html
Explains how secretsdump.py and the new regsecrets.py extract Windows secrets, with regsecrets.py using registry flags to evade EDRs. Also covers improved DPAPI/SCCM credential extraction.
🌐 Web | 💉 NoSQLi | 🛡️ Injection | 💣 Data Exfiltration
🔗 Original article: https://sensepost.com/blog/2025/nosql-error-based-injection/
Shows how to use error-based NoSQL injection to quickly exfiltrate full MongoDB documents by injecting code that triggers error messages with sensitive data.
🛠️ Tool | 🌐 Web | 🤖 AI | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/shadow-repeater-ai-enhanced-manual-testing
Shadow Repeater is an AI-powered Burp Suite extension that automates payload mutation and response diffing to uncover hidden web vulnerabilities like XSS, path traversal, and logic flaws.
🛡️ CVE | 💣 RCE | 💰 Bug Bounty | 🌐 Web
🔗 Original article: https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
Shows how to exploit CVE-2023-48409 on Pixel 6 Pro for root by abusing a kernel heap underflow, bypassing usercopy protections, and manipulating pagetables for arbitrary kernel memory access.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/05/30/a-deep-dive-into-axioms-halo2-circuits/
A security audit of Axiom's Halo2 circuits found critical under-constrained bugs that could break zero-knowledge proof soundness, including signature forgery risks and faulty equality checks. The audit led to important fixes and improved testing/documentation.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/26th-may-threat-intelligence-report/
Report details major cyberattacks, critical CVEs in Firefox, WordPress, Versa Concerto, and malware campaigns with exploitation steps and mitigation advice.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.offsec.com/blog/cve-2025-0655/
CVE-2025-0655 is a critical RCE in D-Tale 3.15.1 allowing unauthenticated attackers to execute system commands via unsafe eval of custom filters. Upgrade to 3.16.1 to patch.
🛠️ Tool | 🛡️ EDR Evasion | 💣 Code Injection | 🖥️ Post-Exploitation
🔗 Original article: https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/
Nighthawk 0.2.6 enhances EDR evasion with call stack masking, in-memory PE execution, module stomping, real-time screen capture, and a tool to block EDR network telemetry for stealthy post-exploitation.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://bishopfox.com/blog/sonicwall-decrypting-sonicosx-firmware
Bishop Fox reverse-engineered SonicWall SonicOSX firmware encryption, revealing a multi-stage decryption process. They released Sonicrack, a tool to extract keys and decrypt VMware firmware images, enabling security research on SonicWall devices.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-sql-server-crypto-detour-5ff9ac7033de?source=rss----f05f8696e3cc---4
Explores SQL Server encryption flaws in ManageEngine ADSelfService backups, revealing how to brute-force database master keys and decrypt sensitive data using hardcoded example passwords and cracking tools.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e?source=rss----f05f8696e3cc---4
NTLM relay attacks exploit legacy Windows authentication to impersonate users and escalate privileges via SMB, LDAP, and ADCS. This post explains attack methods, technical details, and mitigations, highlighting new BloodHound features for identifying vulnerable paths.
🛡️ CVE | 🌐 Embedded Systems | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://www.pentestpartners.com/security-blog/fire-detection-system-been-pwned-youre-not-going-to-sea/
Critical vulnerabilities in Consilium CS5000 fire panels allow remote SSH and VNC access via hardcoded credentials, risking system disablement and vessel safety. No patches exist; mitigations and operational readiness are essential.
🛡️ CVE | 🌐 Web | 💣 RCE | 💉 Injection
🔗 Original article: https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/
MCP protocol has a critical 'line jumping' vulnerability allowing malicious servers to inject commands before tool invocation, enabling remote code execution and data exfiltration without user consent.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/12th-may-threat-intelligence-report/
Report details major cyberattacks, critical CVEs including Android RCE and WordPress privilege escalation, and active campaigns like Inferno Drainer and DragonForce ransomware.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://www.offsec.com/blog/cve-2025-32433/
CVE-2025-32433 is a critical RCE vulnerability in Erlang/OTP's SSH server allowing unauthenticated code execution via improper SSH message handling. Patched versions are available; PoC exploit code is public.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/browser-cache-smuggling-the-return-of-the-dropper/
Explains exploiting browser cache smuggling with DLL hijacking in user-writable directories to stealthily implant malware, plus defenses like cache clearing and process monitoring.
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💣 RCE
🔗 Original article: https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie
This blog explains how legacy $Version cookies and parser inconsistencies can bypass WAFs, enabling injection attacks via crafted cookie values, with code examples and mitigation advice.
🛠️ Tool | 🧰 Malware | 🛡️ Evasion | 🪟 Windows
🔗 Original article: https://bishopfox.com/blog/rust-for-malware-development
This blog explains how Rust can be used to develop evasive malware, comparing it to C, and demonstrates a Rust malware dropper that injects shellcode and stages a Sliver C2 implant over HTTPS.
🌐 Web | 🛡️ CVE | 🛠️ Tool | 💉 NTLM Relay
🔗 Original article: https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking.html
A technique tricks Windows SMB clients to fallback to WebDav HTTP client on specific SMB errors, enabling HTTP NTLM authentication capture and powerful NTLM/Kerberos relaying attacks in Active Directory multicast poisoning scenarios.
🛡️ CVE | 🪟 Windows | 💣 EoP | 🛠️ Kernel
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html
Detailed analysis of Windows Registry vulnerabilities reveals multiple CVEs involving memory corruption, reference counting bugs, and error handling flaws exploitable for local privilege escalation.
🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://sensepost.com/blog/2025/golaps/
goLAPS is a Golang tool that automates reading and setting Microsoft LAPS passwords from a Domain Controller, aiding red teams in Windows domain privilege escalation.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://blog.rapid7.com/2025/06/06/metasploit-wrapup-76/
New Metasploit modules exploit ThinManager path traversal (CVE-2023-27855, 2917, 27856) for SYSTEM file upload/download, Ivanti EPMM RCE (CVE-2025-4428) via auth bypass, and Linux udev persistence. Includes PHP payload adapters and multiple bug fixes.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
CVE-2023-23397 is a critical Outlook vulnerability allowing NTLM relay attacks via malicious calendar reminders in crafted MSG files, enabling privilege escalation and credential theft. Immediate patching is essential.
🛡️ .NET | 🦠 Malware | 🕵️♂️ Obfuscation | 🖼️ Steganography
🔗 Original article: https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
Malware hides payloads as bitmap resources in .NET apps using multi-stage loaders and XOR obfuscation to evade detection. Final payloads include Agent Tesla info-stealer. Analysis uses .NET debugging hooks to extract payloads.
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://www.openbugbounty.org/blog/how-i-found-a-zero-day-in-w3-schools/
A zero-day command injection vulnerability in W3Schools' online C compiler allows remote code execution via unsanitized system() calls, risking full server compromise.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.trailofbits.com/2025/04/30/insecure-credential-storage-plagues-mcp/
MCP tools often store API keys in plaintext files with insecure permissions, risking credential theft. The blog explains exploitation methods and urges use of OAuth and secure OS credential stores.
🛡️ CVE | 🛠️ Authentication Bypass | 🌐 Web | 💣 ATO
🔗 Original article: https://www.openbugbounty.org/blog/1120-ato-bug-in-twitters/
A Twitter vulnerability allowed attackers with hijacked sessions to bypass password checks, delete and add phone numbers, disable 2FA, and reset passwords, leading to full account takeover. The flaw was responsibly disclosed and rewarded with a $1120 bounty.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/news/airborne-airplay-deleted-files-slop
Explains AirPlay wireless RCE vulnerabilities, GitHub secrets recovery techniques, AI-generated bug report issues, and other critical security findings with detailed exploitation steps and bug bounty insights.
🛡️ CVE | 🌐 COM | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html
Explores Windows COM IDispatch trapped object vulnerabilities enabling privilege escalation and code injection, including a .NET DCOM reflection attack to inject code into protected processes, with detailed PoC and mitigation analysis.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://www.thezdi.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities
This post explains using Binary Ninja's API to build data flow graphs for static detection of use-after-free vulnerabilities, demonstrating inter-procedural analysis and testing on real CVEs.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html
Exploitation of remote code execution in Neverwinter Nights: Enhanced Edition via buffer overflow and out-of-bounds write in multiplayer message handlers, including ASLR bypass and stack pivot with ROP.
🌐 Web | 🛡️ CVE | ☁️ Cloud Security | 💣 Privilege Escalation
🔗 Original article: https://unit42.paloaltonetworks.com/aws-roles-anywhere/
This post explains how AWS IAM Roles Anywhere's default permissive trust policies can lead to privilege escalation using stolen certificates, and provides detailed mitigation steps including restrictive trust policies and certificate attribute mapping.
🛠️ Tool | 💣 RCE | 🛡️ CVE | 🌐 Web
🔗 Original article: https://www.mdsec.co.uk/2025/03/red-teaming-with-servicenow/
Comprehensive guide on abusing ServiceNow features for code execution, credential theft, and persistence after admin access, including MID server credential decryption, custom actions, discovery abuse, orchestration, LDAP listener, and RPC relaying.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
This post explains how to extract highly privileged Account Connectivity Credentials (ACCs) from Symantec Management Agent using SMATool and custom tools, enabling privilege escalation and remote code execution.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/update-dumping-entra-connect-sync-credentials-4a9114734f71?source=rss----f05f8696e3cc---4
Microsoft Entra Connect Sync switched from user password to app registration with certificate auth. Attackers can add new cert keys to persist access without admin tokens, expanding attack surface. Detection via Azure AD audit logs is possible.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://trustedsec.com/blog/red-team-gold-extracting-credentials-from-mdt-shares
Misconfigured Microsoft Deployment Toolkit (MDT) shares can leak domain and network credentials, enabling attackers to extract sensitive info and escalate privileges during red team engagements.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/28th-april-threat-intelligence-report/
Critical zero-days in SAP NetWeaver and Craft CMS enable remote code execution. Multiple major data breaches and ransomware attacks reported. New phishing and supply chain attacks detailed. Immediate patching and monitoring recommended.
🦠 Malware | 🌐 Web | 💰 Cryptocurrency | 🤖 Botnet
🔗 Original article: https://unit42.paloaltonetworks.com/blitz-malware-2025/
Blitz is a Windows malware spread via backdoored game cheats using anti-sandbox checks and PowerShell to download a bot and Monero miner from Hugging Face Spaces. It supports keylogging, screenshots, DDoS, and remote commands, controlled via a FastAPI-based C2. The operator ceased activity in 2025.
🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://github.com/RedTeamPentesting/wspcoerce
wspcoerce is a Python tool that exploits MS-WSP over SMB to coerce Windows machine account authentication to arbitrary targets, enabling NTLM relay attacks like unauthorized AD CS certificate issuance.
🛡️ CVE | 💣 RCE | 🌐 Web | 🐳 Docker
🔗 Original article: https://www.offsec.com/blog/cve-2025-23211/
CVE-2025-23211 is a critical SSTI vulnerability in Tandoor Recipes allowing authenticated users to execute arbitrary commands as root via Jinja2 template injection. Upgrade to version 1.5.24 to patch.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Craft CMS 3.x to 5.x has an unauthenticated RCE (CVE-2025-32432) via the image transform endpoint. Attackers exploit Yii behaviors to run PHP code, upload a PHP file manager, and gain full server control.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛡️ SSRF
🔗 Original article: https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet
New URL validation bypass techniques include advanced IP encodings and userinfo parsing bugs, enabling SSRF and open redirect exploits. Updated cheat sheets help security pros find critical web vulnerabilities.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html
Windows 11 24H2 lets SMB clients specify custom TCP ports, enabling local virtual memory access traps to exploit kernel TOCTOU bugs without admin rights. An updated fake SMB server tool supports this local attack method.
🌐 Web | 🛡️ CVE | 💣 RCE
🔗 Original article: https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-41
A Ruby web app vulnerability allows command injection via regex validation bypass and Ruby IO's pipe character handling, leading to remote code execution and file disclosure.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
Top 10 web hacking techniques of 2024 reveal advanced OAuth hijacking, cache deception, CVE-2024-4367 in PDF.js, doubleclickjacking, request smuggling, and Apache server confusion attacks with detailed exploitation and impact analysis.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
CVE-2024-53704 is a critical SonicWall SSL VPN authentication bypass allowing remote session hijacking via crafted Base64 cookies. Exploit is trivial post-reverse engineering. Patch immediately.
🌐 Web | 🛡️ Malware | 💣 RAT | 🛠️ Obfuscation
🔗 Original article: https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/
A fake Kling AI website campaign uses Facebook malvertising to deliver disguised .NET Native AOT loaders and PureHVNC RAT, stealing crypto wallet data and credentials worldwide.
🛡️ CVE | 💰 Account Takeover | 🌐 Web | 🛠️ Exploit
🔗 Original article: https://patchstack.com/articles/unpatched-account-takeover-in-payu-commercepro/
Critical unauthenticated account takeover in PayU CommercePro plugin (CVE-2025-31022) allows attackers to impersonate any user via exposed REST API endpoints and token generation. No patch yet; users should deactivate the plugin.
🦠 Malware | 🌐 Web | 🛠️ PowerShell | 📜 VBScript
🔗 Original article: https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
Lampion malware targets Portuguese sectors using ClickFix social engineering to trick victims into running malicious PowerShell commands, leading to a multi-stage obfuscated VBScript infection chain and a large DLL loader. Detection is challenging but enhanced by Palo Alto Networks tools.
🛠️ Tool | 🌐 Web | 🛡️ CVE | 💰 Bug Bounty
🔗 Original article: https://github.com/Geidalaodicha/burpGPTplus
burpGPTplus is a free Burp Suite extension using GPT-3.5 to analyze HTTP traffic for OWASP Top 10 vulnerabilities, automating and improving web security testing.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 💣 RCE
🔗 Original article: https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/
A new MCP vulnerability allows attackers to inject malicious tools that exfiltrate full chat histories on trigger phrases, stealing sensitive data stealthily over time.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ PHP Object Injection
🔗 Original article: https://fearsoff.org/research/roundcube
Critical post-auth RCE in Roundcube ≤1.6.10 via unsafe PHP object deserialization (CVE-2025-49113) allows remote code execution by injecting malicious serialized objects into session data after login.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
CVE-2025-31324 is a critical SAP NetWeaver vulnerability allowing unauthenticated file upload and remote code execution via /developmentserver/metadatauploader. Attackers deploy JSP web shells and advanced reverse shells like GOREVERSE. Palo Alto Networks offers protections and IoCs for defense.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/drag-and-pwnd-leverage-ascii-characters-to-exploit-vs-code
ASCII control characters can be exploited in VS Code's terminal via node-pty, enabling command injection through run configurations and file drag-and-drop, leading to remote code execution on macOS and Linux.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
This post reveals an NTLMv1 relay attack on WinRMS due to relaxed channel binding defaults, enabling remote code execution. It includes detailed XML commands for exploitation and advises enforcing strict channel binding to mitigate.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/leakymetry-circumventing-glpi-authentication/
GLPI versions 9.5.0 to 10.0.16 have a critical vulnerability (CVE-2024-50339) allowing unauthenticated attackers to leak telemetry data, craft dashboard access links, inject SCSS to list session files, and hijack admin sessions. Patch in 10.0.17 fixes this.
🤖 AI | 🎣 Phishing | 🛠️ Tool | 🌐 Web
🔗 Original article: https://trustedsec.com/blog/teaching-a-new-dog-old-tricks-phishing-with-mcp
This post shows how AI (Claude) combined with MCP servers automates personalized phishing email creation by extracting employee data from websites and generating convincing pretexts and email templates, demonstrating a new AI-powered phishing technique.
🛡️ Ransomware | 🌐 VMware | 🛠️ PowerShell | 🧩 Obfuscation
🔗 Original article: https://www.synacktiv.com/publications/etude-de-cas-comment-hunters-international-et-ses-affilies-ciblent-vos-hyperviseurs.html
Hunters International ransomware targets VMware ESXi via trojanized RVTools, SMOKEDHAM backdoor, SSH tunnels, and a Rust-based obfuscated ransomware deployed with PowerCLI.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/saml-roulette-the-hacker-always-wins
Ruby-saml's XML parsing inconsistencies enable unauthenticated admin access on GitLab by exploiting round-trip and namespace confusion attacks to bypass signature validation.
🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
Phishing via VSCode extensions abuses the vscode:// URI handler to install malicious extensions, enabling remote code execution and stealthy access by spoofing publisher IDs without domain verification.
🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://trufflesecurity.com/blog/introducing-trufflehog-s-burp-suite-extension-a-techical-deep-dive
TruffleHog's Burp Suite extension scans live HTTP traffic every 10 seconds to detect active secrets, automating secret detection during web security testing and improving vulnerability discovery.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://blog.rapid7.com/2025/05/30/metasploit-wrap-up-05-30-2025/
Metasploit adds SOCKS5H proxy support and new exploit modules for CVE-2025-2011 (WordPress SQLi) and CVE-2025-30406 (ASP.NET ViewState RCE), plus bug fixes and PowerShell impersonation warnings.
🛡️ OT/ICS | 🌐 Network Security | 🔄 Pivoting | 🖥️ Dual-Homed Devices
🔗 Original article: https://www.pentestpartners.com/security-blog/fully-segregated-networks-your-dual-homed-devices-might-disagree/
Dual-homed devices in OT/ICS networks can be exploited to bypass segmentation, enabling attackers to pivot across critical infrastructure using default credentials, outdated firmware, and exposed services like SSH and Telnet.
🛠️ Tool | 🌐 Web | 🕵️♂️ OSINT | 🛡️ BurpSuite
🔗 Original article: https://github.com/vsec7/BurpSuite-Xkeys
BurpSuite-Xkeys is a Python-based Burp Suite extension that passively scans web traffic to extract and report sensitive strings like keys and tokens, aiding penetration testers in finding exposed secrets automatically.
🌐 Web | 🛡️ CVE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
Explains how to bypass SSL pinning in Flutter apps by patching BoringSSL's verification function using reFlutter and a Frida script, enabling HTTPS interception.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
In-depth analysis of AD CS abuse errors including EKU mismatches, CA trust issues, and expired DC certificates causing PKINIT failures, with practical exploitation techniques and tools.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://www.synacktiv.com/publications/outils-open-source-des-attaquants-exploitant-ivanti-csa.html
Technical analysis of open-source attacker tools exploiting Ivanti CSA zero-days: suo5 HTTP tunnel, iox port forwarder, and atexec-pro remote execution tool, with detailed detection rules.
🛡️ CVE | 🖥️ Active Directory | 💣 Privilege Escalation | 🛠️ Tool
🔗 Original article: https://github.com/logangoins/SharpSuccessor
SharpSuccessor automates the BadSuccessor Active Directory attack, enabling low-privilege users with CreateChild rights to escalate to domain admin by creating and abusing a delegated Managed Service Account (dMSA).
🛡️ CVE | 💣 RCE | 🌐 Web | 💉 XSS
🔗 Original article: https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-gmbh-revolution-pi-plc/
Four critical vulnerabilities in KUNBUS Revolution Pi PLC allow unauthenticated remote code execution and XSS attacks, risking industrial control and safety. Exploits include Node-RED auth bypass, PiCtory SSO path traversal, stored and reflected XSS leading to root shell access.
🤖 AI Exploitation | 🌐 Web | 🛡️ Access Control | 🔍 Red Teaming
🔗 Original article: https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
Microsoft Copilot AI in SharePoint can be exploited to stealthily access sensitive data, bypassing permissions and logs. Attackers use AI agents as advanced search tools to find secrets and internal info, revealing new risks in AI-assisted collaboration platforms.
🌐 Web | 🛠️ Tool | 🧪 Fuzzing | 🛡️ Security
🔗 Original article: https://arete06.com/posts/fuzzing-ws/
Enhanced Backslash Powered Scanner enables automated fuzzing and analysis of WebSocket messages, overcoming challenges of asynchronous, stateful protocols like Socket.IO to detect vulnerabilities missed by traditional HTTP tools.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
CVE-2023-26258 is a critical authentication bypass in ArcServe UDP Backup allowing remote code execution. The blog explains exploitation steps, credential retrieval, password decryption, and provides Python tools for discovery and exploitation.
🛠️ Tool | 🛡️ CVE | 🌐 Web | 🧩 Active Directory
🔗 Original article: https://bishopfox.com/blog/2025-red-team-tools-c2-frameworks-active-directory-network-exploitation
Overview of top 2025 red team tools for C2 frameworks and Active Directory exploitation, detailing features, communication methods, and use cases for offensive security.
🌐 Web | 🛡️ CVE | 💉 Phishing | 💰 Crypto
🔗 Original article: https://cyble.com/blog/crypto-phishing-applications-on-the-play-store/
Over 20 malicious Android apps on Google Play steal crypto wallet mnemonic phrases via phishing, impersonating popular wallets. They use WebView to load phishing sites and are distributed through compromised developer accounts, risking irreversible crypto theft.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ PHP Object Deserialization
🔗 Original article: https://github.com/fearsoff-org/CVE-2025-49113
Critical post-auth RCE in Roundcube ≤1.6.10 via insecure PHP object deserialization (CVE-2025-49113). Requires authentication; allows arbitrary command execution. PoC and Docker setup provided. Update Roundcube immediately.
🛡️ CVE | 🌐 Web | 💉 Unicode | 💰 Bug Bounty
🔗 Original article: https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows
Unicode overflow attacks exploit byte storage limits to bypass character blocklists, enabling injection attacks like XSS. The blog explains the technique with JavaScript examples and its use in bug bounty hunting.
🌐 Web | 🛡️ CVE | 💉 NoSQL Injection | 💣 Injection
🔗 Original article: https://sensepost.com/blog/2025/getting-rid-of-pre-and-post-conditions-in-nosql-injections/
Advanced MongoDB NoSQL injection techniques bypass query pre-conditions using syntax injection and $where clause manipulation, enabling broader data access.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://medium.com/immunefi/sky-remote-code-execution-bugfix-review-9bfbeb8c1c17?source=rss----6cdc579be8a0---4
A critical RCE in MakerDAO's voting platform allowed remote command execution via unsafe Markdown parsing. The issue was fixed by disabling JavaScript execution in the parser, earning a $50K bounty.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/19th-may-threat-intelligence-report/
Critical RCE vulnerabilities in SAP NetWeaver and Fortinet exploited by ransomware and zero-day attacks, plus a high-severity Chrome flaw. Major data breaches and phishing campaigns impact millions.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://xbz0n.sh/blog/adcs-complete-attack-reference
Comprehensive guide on ADCS attacks (ESC1-ESC16) with detailed exploitation steps, code, and tools for privilege escalation and persistence in Windows Active Directory.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
CVE-2025-31324 allows remote code execution in SAP NetWeaver via malicious JSP uploads to Visual Composer's metadata uploader endpoint. Patch or disable Visual Composer to mitigate.
📱 Android | 🛠️ Tool | 🎯 CTF | 🧩 Modular
🔗 Original article: https://thelicato.medium.com/droidground-elevate-your-android-ctf-challenges-69a5c479965e
DroidGround is a modular platform that enhances Android CTF challenges with realistic exploitation scenarios like RCE and privilege escalation, featuring Frida scripting, real-time device control, and dynamic attack surface enumeration.
🛡️ CVE | 🌐 Web3 | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://medium.com/immunefi/top-3-bugs-from-the-thundernft-invite-only-program-373da9824cc9?source=rss----6cdc579be8a0---4
Three critical vulnerabilities in ThunderNFT's Fuel-based NFT marketplace allow NFT theft, maker losses due to hardcoded token amounts, and block sellers from accepting bids. Detailed PoCs and fixes are provided.
🛡️ CVE | 💣 RCE | 🪟 Windows | 🛠️ Tool
🔗 Original article: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
CVE-2025-21204 is a Windows Update Stack local privilege escalation via directory junction hijacking, allowing non-admin users to execute code as SYSTEM. Patched in April 2025, it exploits trusted path validation flaws using native Windows tools.
🛡️ CVE | 🌐 Web | 💣 RCE | 🔐 Auth Bypass
🔗 Original article: https://www.offsec.com/blog/cve-2025-29927/
CVE-2025-29927 is a critical Next.js vulnerability allowing attackers to bypass middleware authentication by spoofing the x-middleware-subrequest header, enabling unauthorized access to protected routes. Upgrade Next.js or block the header at the proxy to mitigate.
🛠️ Tool | 🛡️ CVE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://blog.bughunt.com.br/cobalt-strike/
Cobalt Strike is a powerful red team tool often misused by attackers for stealthy network intrusion, credential theft, and data exfiltration. The blog details a real espionage case, attack methods, and defense strategies.
🛠️ Hardware | 🔍 Reverse-engineering | 📡 DVB | 🛡️ Vulnerability
🔗 Original article: https://www.synacktiv.com/publications/analyse-dun-decodeur-tnt.html
Reverse-engineering a Metronic TNT decoder reveals IR protocol bugs and DVB parsing flaws. Buffer overflows exist but are not exploitable. The study highlights embedded DVB device security risks and protocol implementation errors.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Exploit
🔗 Original article: https://www.offsec.com/blog/cve-2025-24893/
CVE-2025-24893 is a critical unauthenticated RCE in XWiki's SolrSearch macro allowing remote Groovy code execution via crafted search queries. Immediate patching is essential.
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://github.com/kn0x0x/CVE-2025-32756-POC
PoC for CVE-2025-32756: a critical stack-based buffer overflow in Fortinet products allowing unauthenticated remote code execution via the /remote/hostcheck_validate endpoint's 'enc' parameter. Includes Python exploit and patch details.
🛡️ CVE | 🌐 Web | 💉 XSS
🔗 Original article: https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
The blog explains the "cookie sandwich" attack, which steals HttpOnly cookies by exploiting legacy cookie parsing in servers like Apache Tomcat combined with XSS and CORS misconfigurations.
🛡️ CVE | 🌐 Web | 💰 Bug Bounty | 🕵️ Recon
🔗 Original article: https://www.yeswehack.com/news/middleware-mayhem-zoolander-malta
Critical Next.js vulnerability CVE-2025-29927 enables authorization bypass. Bug bounty rewards rise for AI flaws. Educational hacking techniques and new bounty programs featured.
🛡️ CVE | 🛠️ Tool | 🌐 Web | 📱 iOS
🔗 Original article: https://www.pentestpartners.com/security-blog/how-to-load-unsigned-or-fake-signed-apps-on-ios/
Detailed guide on loading unsigned or fake-signed iOS apps using jailbreak tweaks (AppSync), sideloading platforms (AltStore, Sideloadly), and on-device tools (TrollStore), including installation steps, requirements, and limitations.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://bishopfox.com/blog/sonicwall-cve-2024-53704-exploit-details-blog
CVE-2024-53704 is a critical SonicWall SSL VPN authentication bypass allowing trivial session hijacking and full network access. Immediate patching is essential.
🛠️ Tool | 📱 Mobile | 🛡️ CVE | 🔍 Reverse Engineering
🔗 Original article: https://sensepost.com/blog/2025/using-improving-frida-trace/
This blog explains how to use and improve frida-trace for hooking thousands of methods in mobile apps, enhancing output readability for complex Java objects, and customizing handler scripts for better reverse engineering.
🛡️ CVE | 💣 RCE | 🌐 Web | 🦠 Malware
🔗 Original article: https://research.checkpoint.com/2025/5th-may-threat-intelligence-report/
Report covers major ransomware attacks, critical CVEs like SonicWall command injection and Apple AirPlay zero-click RCE, new malware Gremlin Stealer, and backdoored Magento extensions.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/
ANSI escape codes in MCP tool descriptions can hide malicious instructions from users but not AI models, enabling supply chain attacks and phishing. The post details exploitation techniques and mitigation strategies.
🛠️ Tool | 🌐 Web | 🤖 AI
🔗 Original article: https://portswigger.net/research/document-my-pentest
Document My Pentest is a Burp Suite AI extension that automates pen test documentation by detecting reflections with regex and using prompt engineering to improve vulnerability identification, streamlining reporting.
🛡️ CVE | 🌐 Web | 💣 RCE | 🧪 Exploitation
🔗 Original article: https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-guide
Comprehensive guide on JWT vulnerabilities including signature bypass, none algorithm, weak secrets, algorithm confusion, kid injection, embedded keys (CVE-2018-0114), JKU abuse, and CVE-2022-21449 with detailed exploitation and mitigation steps.
🌐 Web | 🛠️ Tool | 🤖 ML Exploit | 🛡️ CVE
🔗 Original article: https://sensepost.com/blog/2025/capchan-solving-captcha-with-image-classification/
Detailed guide on building 'capchan', a Python tool using TensorFlow CNNs to solve complex CAPTCHAs by automating image processing and classification.
🛡️ CVE | 💣 LPE | 🌐 Windows | 🛠️ Exploit
🔗 Original article: https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
CVE-2024-20656 is a Windows local privilege escalation in Visual Studio's VSStandardCollectorService150. It exploits file permission resets via junction points and MSI repair to gain SYSTEM privileges.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://blog.rapid7.com/2025/06/04/rapid7-q1-2025-incident-response-findings/
Rapid7's Q1 2025 report highlights stolen credentials without MFA as the top attack vector, exploitation of Fortinet and SimpleHelp vulnerabilities, SEO poisoning leading to ransomware, and widespread BunnyLoader malware infections.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://posts.specterops.io/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4?source=rss----f05f8696e3cc---4
Guide on exploiting device-joined Windows hosts to extract Azure AD Primary Refresh Tokens (PRT) for bypassing MFA and accessing cloud resources via SSO, including detailed enumeration, token extraction, and usage techniques.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/
Inferno Drainer is a sophisticated crypto phishing campaign abusing Discord and smart contracts to steal over $9M. It uses obfuscated JavaScript, blockchain-stored configs, proxy servers, and short-lived contracts to evade detection.
🛡️ CVE | 💣 RCE | 🌐 Web | 📡 IoT
🔗 Original article: https://research.checkpoint.com/2025/9th-june-threat-intelligence-report/
Critical ransomware attacks, data breaches, and zero-day vulnerabilities (Roundcube RCE CVE-2025-49113, Chrome V8 CVE-2025-5419) detailed with exploitation methods and threat intelligence on BADBOX IoT botnet and PathWiper malware.
🛡️ Malware | 🛠️ AutoIt | 💉 Infostealer | 🌐 Phishing
🔗 Original article: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
Analysis of DarkCloud Stealer's AutoIt-based attack chain showing phishing delivery, obfuscated scripting, shellcode execution, and extensive infostealing targeting browsers and mail clients.
🛡️ CVE | 🌐 Web | 💣 DoS
🔗 Original article: https://bishopfox.com/blog/sonicwall-sonicos-versions-7-1-x-and-8-0-x
A high-severity DoS vulnerability (CVE-2025-32818) in SonicWall SonicOS SSL VPN allows remote attackers to crash and reboot firewalls via crafted HTTP POST requests, disrupting VPN service. Patch to 7.2.0/8.0.1 or disable SSL VPN.
🌐 Web | 🛠️ Tool | 🔍 Reconnaissance | 🛡️ Security
🔗 Original article: https://github.com/Elite-Security-Systems/radar
RADAR is a DNS reconnaissance tool that identifies domain technologies via extensive DNS queries and pattern matching, aiding security professionals in footprinting and attack surface analysis.
🛡️ CVE | 🪟 Windows | 🔍 Reverse Engineering | 💣 Memory Corruption
🔗 Original article: https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventure-5-regf.html
In-depth analysis of the Windows Registry regf format reveals how its unique on-disk/in-memory design and incomplete input validation have led to multiple exploitable Windows kernel vulnerabilities.
🛠️ Tool | 📱 Android | 🛡️ Rooting | ⚡ Frida
🔗 Original article: https://github.com/Brut-Security/BrutDroid/
BrutDroid automates rooting Android emulators, setting up Frida bypasses, and installing Burp certificates, streamlining security testing for pentesters and researchers.
deep valeBOT
🛠️ Tool | 🌐 Web | 🛡️ Security
🔗 Original article: https://github.com/0xAwali/WebSocketChecker
WebSocketChecker is a Burp Suite extension that scans WebSocket messages for sensitive data leaks using regex, helping security testers find exposed secrets and tokens in real-time.
🛠️ Tool | 🌐 Web | 🛡️ OPSEC | 💻 Windows
🔗 Original article: https://github.com/django-88/NomadScanner
NomadScanner is a stealthy Windows port scanner using in-memory HTTP probes with randomized network traits and advanced evasion techniques to avoid detection, supporting IPv4/IPv6, domain fronting, and custom payloads.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with.html
New Kerberos relaying attack over HTTP using LLMNR multicast poisoning, implemented with Responder and krbrelayx, enables pre-authenticated relay attacks in Active Directory.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Exploitation
🔗 Original article: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html
Technical guide on exploiting Windows registry hive memory corruption bugs for privilege escalation on Windows 11, including CVE references, exploitation steps, kernel pool corruption, and memory layout analysis.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/
This blog explains ELF malware families targeting Linux cloud infrastructure, including NoodleRAT, Winnti, SSHdInjector, Pygmy Goat (CVE-2022-1040), and AcidPour wipers, detailing their attack methods, persistence techniques, and detection via machine learning in Cortex Cloud.
🛡️ CVE | 💣 RCE | 🎮 Game Exploit | 🧱 Heap Overflow
🔗 Original article: https://www.synacktiv.com/publications/exploiting-heroes-of-might-and-magic-v.html
Heap overflow in Heroes of Might and Magic V map files enables remote code execution by overflowing decompression buffers, overwriting vtable pointers, and chaining ROP gadgets. A detailed Python exploit is provided.
🛡️ CVE | 🌐 Web | 💉 Social Engineering | 💣 RAT
🔗 Original article: https://blog.rapid7.com/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/
BlackSuit ransomware group uses email bombing and social engineering via Microsoft Teams and calls to gain remote access, deploying a Java RAT with cloud-based C2 and credential harvesting. They use QEMU VMs and Rust malware for proxying. Mitigations include MFA, Teams restrictions, and user training.
🛡️ CVE | 🛠️ Tool | 🔐 Cryptography | 💣 Key Destruction
🔗 Original article: https://blog.trailofbits.com/2025/06/10/what-we-learned-reviewing-one-of-the-first-dkls23-libraries-from-silence-laboratories/
Trail of Bits audited Silence Laboratories' Silent Shard TSS library using the DKLs23 OT-based protocol, uncovering critical nonce reuse and abort handling flaws that enabled key destruction attacks, which were promptly fixed.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://research.checkpoint.com/2025/stealth-falcon-zero-day/
Stealth Falcon exploited CVE-2025-33053 via .url files and WebDAV to execute custom Mythic implants with advanced obfuscation and post-exploitation tools targeting Middle Eastern governments. Microsoft patched the zero-day in June 2025.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://brutecat.com/articles/leaking-google-phones
A vulnerability in Google's username recovery allowed brute forcing of phone numbers by abusing no-JS forms, IPv6 rotation, and BotGuard token reuse. A PoC tool was created, and the issue was patched after responsible disclosure.
deep valeBOT
🛡️ Social Engineering | 🌐 Web | 🛠️ Tool | 🔒 Privacy
🔗 Original article: https://www.mobile-hacker.com/2025/06/10/seeker-how-a-simple-link-can-reveal-your-smartphones-location/
Seeker is a social engineering tool that reveals smartphone location and device info via a crafted link, exploiting browser location permissions without app installation.
🛡️ CVE | 💣 RCE | 🕸️ Web | 🛠️ EoP
🔗 Original article: https://blog.rapid7.com/2025/06/10/patch-tuesday-june-2025/
Microsoft June 2025 Patch Tuesday fixes 67 vulnerabilities including two zero-days: WebDAV RCE (CVE-2025-33053) exploited by Stealth Falcon, and SMB client EoP (CVE-2025-33073). Critical RCEs affect KDC Proxy and Office Preview Pane. Immediate patching is recommended.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://www.synacktiv.com/publications/cve-2025-23016-exploiter-la-bibliotheque-fastcgi.html
CVE-2025-23016 is a heap overflow in FastCGI's ReadParams on 32-bit systems, enabling remote code execution by overwriting function pointers in FCGX_Stream. The article includes detailed analysis and a full exploit.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
CVE-2025-33073 is a Reflective Kerberos Relay Attack allowing SYSTEM privilege escalation via SMB authentication coercion and ticket relay, exploiting Windows loopback authentication safeguards. Patched in June 2025.
🛡️ Supply Chain | 🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://sensepost.com/blog/2025/depscanner-find-orphaned-packages-before-the-bad-guys-do/
Depscanner detects orphaned dependencies in GitHub repos vulnerable to supply chain attacks, demonstrated with npm and Python examples. It reveals a real vulnerability involving pnpm workspaces and shows how attackers can exploit missing packages for code execution.
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/news/critical-signature-spoofing-vulnerability-openpgpjs
CVE-2025-47934 is a critical OpenPGP.js vulnerability allowing attackers to forge signed messages using a valid signature and plaintext. A patch is available to protect message and software integrity.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
CVE-2025-33073 is a Windows SMB client vulnerability allowing authenticated remote SYSTEM command execution via NTLM reflection bypass using crafted DNS records. The blog details discovery, exploitation, Kerberos impact, and patch analysis with commands and code.
🛡️ CVE | 🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025.html
CVE-2025-33073 is a critical Windows SMB client vulnerability allowing authenticated remote SYSTEM command execution by abusing NTLM local authentication via crafted DNS records. The blog details discovery, exploitation, root cause, Kerberos impact, and patch analysis.
wild ibex
deep valeBOT
📱 Mobile | 🛠️ Tool | 🌐 WiFi | 🛡️ Pentesting
🔗 Original article: https://www.mobile-hacker.com/2025/06/12/stryker-app-goes-free-the-ultimate-mobile-pentesting-toolkit/
Stryker is a free Android pentesting app that enables Wi-Fi and network vulnerability scanning, WPS/WPA attacks, exploit management, and supports external Wi-Fi adapters for mobile ethical hacking.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://www.offsec.com/blog/cve-2024-21683/
CVE-2024-21683 is a critical authenticated RCE in Atlassian Confluence allowing attackers with add-language privileges to execute arbitrary code via malicious JavaScript macros.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Exploit
🔗 Original article: https://cside.dev/blog/weaponized-google-oauth-triggers-malicious-websocket
A client-side attack uses a weaponized Google OAuth URL to open a malicious WebSocket, enabling real-time remote code execution on eCommerce checkout pages.
deep valeBOT
🛡️ CVE | 🌐 Web | 🛠️ Tool | 🤖 AI
🔗 Original article: https://trustedsec.com/blog/hunting-deserialization-vulnerabilities-with-claude
This post shows how to use AI (Claude) with a Dockerized ilspycmd MCP server to find deserialization vulnerabilities in .NET assemblies, including a known unsafe deserialization in AddinUtil.exe/System.AddIn.dll.
🛡️ CVE | 💣 RCE | 🌐 Web | 🧩 PHP Object Deserialization
🔗 Original article: https://www.offsec.com/blog/cve-2025-49113/
Critical RCE in Roundcube Webmail (CVE-2025-49113) via PHP object deserialization in _from parameter allows authenticated users to execute system commands. Patch to versions 1.5.10 or 1.6.11 immediately.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/
A malware campaign hijacks expired Discord invite links to redirect users to malicious servers, delivering multi-stage payloads including AsyncRAT and Skuld Stealer targeting crypto wallets, using advanced evasion and trusted cloud services for stealthy infection.
🛡️ CVE | 🌐 Web | 💣 RCE | 💉 Arbitrary File Upload
🔗 Original article: https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
CVE-2025-20188 is an unauthenticated arbitrary file upload vulnerability in Cisco IOS XE WLC caused by a hard-coded JWT secret. Exploitation enables remote code execution via path traversal in file uploads. Mitigation requires patching or disabling the vulnerable feature.
🌐 Web | 🛡️ Obfuscation | 💉 Malvertising | 🛠️ JavaScript
🔗 Original article: https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/
Malicious JavaScript using JSFireTruck obfuscation infects websites, redirecting search engine traffic to malicious iframes. The blog explains the obfuscation technique, exploitation steps, and detection methods.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://swap.gs/posts/monero-forums/
Critical RCE in Monero forums via MIME bypass with wrapwrap filters and Laravel 4 CSRF cookie unserialization using APP_KEY.
deep valeBOT
🛡️ CVE | 📱 iOS | 💣 Zero-click | 🕵️♂️ Forensics
🔗 Original article: https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
Forensic analysis confirms Paragon's Graphite spyware exploited a zero-click iMessage vulnerability (CVE-2025-43200) to stealthily infect journalists' iOS devices, with mitigation in iOS 18.3.1. This enables full remote compromise, posing severe privacy risks.
deep valeBOT
🌐 Web | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive
Learn how to use the Wayback Machine to find hidden or forgotten web endpoints and sensitive data by analyzing archived website versions for bug bounty reconnaissance.
☁️ Cloud | 🛡️ IAM | 💣 RCE | 💉 SSRF
🔗 Original article: https://unit42.paloaltonetworks.com/serverless-authentication-cloud/
Explains serverless token vulnerabilities in AWS, GCP, and Azure, detailing SSRF and RCE exploitation techniques, detection methods, and prevention strategies to secure cloud environments.
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://blog.abhis3k.in/concept/&/testcases/2025/05/23/oauth-concept-and-testcases/
Comprehensive OAuth 2.0 overview covering authorization flows, common vulnerabilities like CSRF and redirect URI tampering, exploitation techniques, and mitigation strategies with real-world examples.
deep valeBOT
🛡️ CVE | 🌐 Web | 🧑💻 Social Engineering | 🧩 NTLM
🔗 Original article: https://trustedsec.com/blog/dragging-secrets-out-of-chrome-ntlm-hash-leaks-via-file-urls
A new attack tricks users into dragging malicious elements in Chrome, leaking NTLM hashes via Windows authentication to an attacker-controlled server.
📱 Mobile | 🛠️ Tool | 🌐 Web | 🛡️ CVE
🔗 Original article: https://www.mobile-hacker.com/2025/06/12/stryker-app-goes-free-the-ultimate-mobile-pentesting-toolkit
Stryker is a free Android pentesting app offering WiFi and network vulnerability scanning, WPS and WPA attacks, exploit management, and integration with tools like Nmap and Metasploit, enabling powerful mobile penetration testing with root access.
deep valeBOT
💉 XSS | 🛡️ CSRF | 🌐 Web | 🛠️ Browser API
🔗 Original article: https://blog.slonser.info/posts/make-self-xss-great-again/
Shows how to turn Stored Self-XSS into full Stored XSS using credentialless iframes, CSRF login attacks, CAPTCHA bypass via WebSocket, clickjacking, and the fetchLater API for deferred requests, enabling session hijacking and account takeover.
deep valeBOT
🛡️ CVE | 🛠️ Ghidra | 💣 Heap Overflow | 🌐 Linux
🔗 Original article: https://medium.com/@cy1337/malloc-overflow-deep-dive-9357eeef416b
In-depth analysis and exploitation of a heap overflow (CVE-2025-6035) in GIMP's despeckle plugin using Ghidra and crafted images to trigger a crash, showing real-world vulnerability exploitation.
🛡️ CVE | 💣 RCE | 🌐 Web | 🛠️ Exploit
🔗 Original article: https://www.offsec.com/blog/cve-2024-46986/
CVE-2024-46986 is a critical arbitrary file write vulnerability in Camaleon CMS allowing authenticated attackers to upload malicious files via directory traversal, leading to remote code execution. Upgrade to version 2.8.2 or later to fix.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/news/ai-slop-openpgp-zero-day
OpenPGP.js suffers a critical signature spoofing vulnerability (CVE-2025-47934) allowing attackers to bypass signature verification, risking data integrity and security. Discovered by Codean Labs and disclosed via YesWeHack Bug Bounty.
📱 Android | 🛠️ Tool | 🛡️ Security | 💣 Exploitation
🔗 Original article: https://www.mobile-hacker.com/2025/06/16/how-to-run-adb-and-fastboot-on-a-non-rooted-android-smartphone-using-termux/
Run ADB and Fastboot on non-rooted Android phones using Termux, enabling pentesting, rooting, and forensics without a PC. Exploits include apps with debuggable or backup-enabled flags, and CVE-2024-0044 data exfiltration.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🦠 Malware
🔗 Original article: https://research.checkpoint.com/2025/16th-june-threat-intelligence-report/
Report covers zero-day RCE in Microsoft WebDAV (CVE-2025-33053), GitLab critical flaws, Trend Micro RCEs, and malware campaigns exploiting social engineering and trusted platforms.
deep valeBOT
🦠 Malware | 🛡️ Backdoor | 🌐 Web | 🛠️ PowerShell
🔗 Original article: https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/
New KimJongRAT variants use LNK files to download multi-stage PE and PowerShell payloads that steal browser, crypto-wallet, and email credentials via encrypted C2 communication.
🌐 Web | 🛡️ CVE | 💉 SQLi | 🛠️ Tool
🔗 Original article: https://infosecwriteups.com/exploiting-unsanitized-url-handling-sql-injection-via-deep-links-in-ios-app-write-up-of-flipcoin-066899b09fc2
Flipcoin iOS app has a local SQL Injection via unsanitized deep link parameters. Using Ghidra and Frida, an attacker extracts sensitive recovery keys and exfiltrates data remotely through the unsanitized 'testnet' parameter.
deep valeBOT
🛡️ CVE | 🌐 Web | 🛠️ Tool | 💣 RCE
🔗 Original article: https://trustedsec.com/blog/attacking-jwt-using-x509-certificates
This blog explains how attackers exploit JWTs by manipulating X.509 certificate headers (x5c, x5u) to forge tokens signed with their own keys, demonstrated with a vulnerable Flask API and a Burp Suite extension.
🔧 Hardware | 💣 RCE | 🛠️ Exploit | 🔍 Reverse-engineering
🔗 Original article: https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector.html
Tesla Wall Connector was exploited via its charge port using a firmware downgrade and debug shell buffer overflow, enabling remote code execution and Wi-Fi credential theft.
🛡️ CVE | 💣 RCE | 🌐 Web | 🔐 Auth Bypass
🔗 Original article: https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
Sitecore XP 10.4.1 has a critical pre-auth RCE chain via hardcoded weak credentials and a Zip Slip vulnerability in file uploads, allowing attackers to upload webshells and execute code remotely.
deep valeBOT
🛡️ CVE | 🌐 Web | ⛓️ Path Traversal | 💰 Bug Bounty
🔗 Original article: https://horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/
CVE-2025-34508 is a critical path traversal vulnerability in ZendTo allowing attackers to move arbitrary files into dropoff directories, exposing sensitive data. Patch 6.15-8 fixes this issue.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/
Go's JSON, XML, and YAML parsers have subtle behaviors that can cause security issues like auth bypass and data leaks. Misconfigured struct tags, parser differences, and data format confusion are key risks. Use strict parsing and watch for JSON v2 improvements.
deep valeBOT
🌐 Web | 🛡️ Malware | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/
A multi-stage Java and .NET malware campaign targets Minecraft users via fake mods, stealing game tokens, credentials, and sensitive data while evading detection with anti-VM checks and requiring Minecraft runtime.
deep valeBOT
☁️ Cloud | 🛠️ Tool | 🛡️ Identity | 🕵️♂️ Evasion
🔗 Original article: https://bishopfox.com/blog/2025-red-team-tools-cloud-identity-exploitation-evasion-developer-libraries
Detailed overview of advanced Red Team tools for cloud identity exploitation, evasion, and developer libraries, including AzureHound, AADInternals, SeamlessPass, and Evilginx.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://www.offsec.com/blog/cve-2025-3248/
CVE-2025-3248 is a critical unauthenticated RCE in Langflow due to unsafe use of Python exec(), allowing attackers to run arbitrary code on the server.
deep valeBOT
📱 Android | 🛡️ Malware | 🔐 Credential Theft | 🌐 Web
🔗 Original article: https://www.sirt.pl/falszywe-aplikacje-play-i-allegro-zagrozenie-dla-uzytkownikow-androida/
Fake Android apps use droppers and Accessibility Service abuse to gain full device control and steal banking credentials from Polish users.
📱 Mobile | 💣 RCE | 🛡️ CVE | 🪝 Hooking
🔗 Original article: https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization
GodFather malware uses advanced virtualization on mobile devices to hijack banking and crypto apps, stealing credentials and bypassing security by running real app instances in a sandbox.
deep valeBOT
🛡️ CVE | 🌐 Web | 🔐 Encryption | 💣 RCE
🔗 Original article: https://www.yeswehack.com/news/double-clickjacking-request-tunnelling-encryption
Detailed exploits on double-clickjacking, HTTP request tunnelling, OpenPGP.js signature spoofing (CVE-2025-47934), and Ruby regex RCE highlight critical web and cryptographic vulnerabilities.
deep valeBOT
📱 Android | 🦠 RAT | 🗝️ Keylogger | 🛡️ Malware
🔗 Original article: https://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/
SpyMax is a malicious Android RAT disguised as a wedding invitation app targeting Indian users, stealing banking info and OTPs via keylogging and notification interception, sending data to a remote C2 server.
deep valeBOT
🛡️ CVE | 💣 RCE | 🎁 PoC | 🌐 Web
🔗 Original article: https://github.com/hakaioffsec/CVE-2025-49113-exploit
PoC exploit for CVE-2025-49113, an authenticated remote code execution vulnerability in Roundcube Webmail (v1.5.0-1.6.10) via insecure deserialization during file upload.
🛡️ CVE | 🌐 Web | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://medium.com/@mrxdevil404/how-i-bypassed-rate-limits-to-trigger-account-takeovers-sms-flooding-and-impersonation-9ed42ca1501f
This post reveals how bypassing rate limits in password resets, KYC tokens, and SMS sending can lead to account takeovers, impersonation, and financial loss, with detailed scripts and WAF bypass techniques.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
A remote use-after-free vulnerability (CVE-2025-37899) in the Linux kernel SMB implementation was discovered using OpenAI's o3 LLM, demonstrating AI-assisted vulnerability research with detailed code analysis and exploitation steps.
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://github.com/mbanyamer/CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free-
PoC for CVE-2025-30397 Use-After-Free in JScript.dll on Windows Server 2025 enables remote code execution via IE11 using heap spraying and shellcode execution.
🛡️ CVE | 💣 RCE | 🎁 PoC | 🌐 Web
🔗 Original article: https://github.com/mverschu/CVE-2025-33073
PoC Python exploit for NTLM reflection SMB vulnerability CVE-2025-33073 enabling remote code execution via NTLM relay in Windows domains.
🛡️ CVE | 💣 RCE | 📡 Hardware | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector
Tesla Wall Connector was exploited via its charge port using a firmware downgrade and debug shell buffer overflow, enabling remote code execution through UDS over Single-Wire CAN without anti-downgrade protections.
deep valeBOT
🌐 Web | 🛡️ Supply Chain | 🎁 PoC | 💰 Phishing
🔗 Original article: https://medium.com/@csideai/coinmarketcap-client-side-attack-a-comprehensive-analysis-by-c-side-ce0b58e77dec
CoinMarketCap was compromised via a client-side supply chain attack injecting malicious JavaScript that created fake wallet verification popups to steal crypto wallet credentials and funds.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/csp-directives-base-ic-misconfigurations-with-big-consequences/
This blog explains how missing or misconfigured CSP directives, especially the absence of base-uri, allow attackers to bypass CSP and execute XSS by injecting malicious base tags and scripts, with detailed examples and mitigations.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/vulnerability-series-sql-injection
Comprehensive guide on SQL Injection vulnerabilities, exploitation techniques, and defenses, including code examples and PoC.
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/23rd-june-threat-intelligence-report/
Critical RCE vulnerabilities in Veeam, Sitecore, and Citrix disclosed with detailed exploitation steps. New malware campaigns target Minecraft users and crypto professionals.
📱 Mobile | 🦠 Malware | 🎁 PoC | 🛡️ CVE
🔗 Original article: https://securelist.com/sparkkitty-ios-android-malware/116793/
SparkKitty spyware targets iOS and Android crypto wallets by stealing images via OCR, using malicious frameworks and enterprise profiles. Distributed via official stores and suspicious sites since 2024.
deep valeBOT
🛡️ Social Engineering | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://mrd0x.com/filefix-clickfix-alternative/
FileFix is a social engineering attack exploiting browser file upload dialogs and Windows File Explorer's address bar to execute OS commands, enabling remote code execution without leaving the browser.
deep valeBOT
🛡️ CVE | 🌐 Web | 🎁 PoC | 💣 RCE
🔗 Original article: https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/
Mocha Manakin is a Node.js backdoor using 'paste and run' scripts for remote code execution by tricking users. The blog explains its code, attack method, and defenses.
deep valeBOT
🛡️ CVE | 🧑💻 Social Engineering | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.mobile-hacker.com/2025/06/24/introducing-filefix-a-new-alternative-to-clickfix-attacks/
FileFix is a social engineering attack that tricks users into executing hidden PowerShell commands via the File Explorer address bar, enabling remote code execution directly from the browser.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/
Threat actors use open-source tools like PoshC2, Chisel, and Classroom Spy to target African financial institutions, employing evasion and persistence techniques to maintain access and sell it on darknet markets.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://fenrisk.com/rce-centos-webpanel
CVE-2025-48703 is a critical RCE in CentOS Web Panel allowing unauthenticated attackers to execute arbitrary commands via command injection in the file permission change feature, exploitable with knowledge of a valid username.
🛠️ Tool | 🌐 Web | 🎁 PoC
🔗 Original article: https://github.com/Adaptix-Framework/AdaptixC2
AdaptixC2 v0.6 is a cross-platform, extensible post-exploitation framework with encrypted communication and plugin support for advanced penetration testing and adversarial emulation.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
This blog explains how to exploit a vulnerability in Active Directory's DSML interface to escalate privileges by crafting malicious XML requests, including PoC and mitigation advice.
deep valeBOT
🌐 Web | 🛡️ CVE | 🎁 PoC | 💣 RCE
🔗 Original article: https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/
Iranian APT Educated Manticore uses advanced React-based phishing kits and WebSocket keyloggers to steal credentials and bypass Google 2FA, targeting Israeli tech academics.
🤖 AI | 🛡️ CVE | 🛠️ Evasion | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/ai-evasion-prompt-injection/
Malware 'Skynet' uses a novel AI prompt injection to evade AI malware analysis, combined with sandbox evasion, string obfuscation, and embedded TOR proxy setup.
🛡️ CVE | 🌐 Web | 🎁 PoC | 💣 RCE
🔗 Original article: https://www.huntress.com/blog/recutting-the-kerberos-diamond-ticket
This post explains and improves the Kerberos Diamond Ticket attack by adding LDAP integration to forge more realistic tickets, enhancing stealth and reliability in Kerberos ticket forgery attacks.
deep valeBOT
🛠️ Tool | 🌐 Windows | 🎁 PoC
🔗 Original article: https://github.com/cybersectroll/TrollBlacklistDLL
TrollBlacklistDLL blocks DLL loading in Windows by patching LdrLoadDll in processes, supporting injection into new or running processes. It can block some AV/EDR DLLs and includes PoC binaries.
📡 IoT | 🛡️ CVE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into-a-mario-kart-controller-by-intercepting-can-data/
A real car was hacked by intercepting CAN bus data to control a Mario Kart game using Python, demonstrating automotive network vulnerabilities with detailed code and techniques.
deep valeBOT
💣 RCE | 🛠️ Tool | 🎁 PoC | 🌐 Web
🔗 Original article: https://sensepost.com/blog/2025/no-egress-no-shell-no-problem/
shellnot enables interactive shell sessions over UNIX sockets when RCE exists but no network egress is available, bypassing traditional reverse shell limitations.
deep valeBOT
🛠️ Tool | 🎁 PoC | 📱 Android | 🛡️ Anti-Analysis
🔗 Original article: https://ad2001.com/blog/The Tale of Breaking Android Decompilers
Injecting null bytes into AndroidManifest.xml's string pool without updating offsets breaks decompilers like JADX and APKTool, while the APK remains functional. Includes a Python script PoC.
deep valeBOT
🛡️ CVE | 🌐 Web | 🎁 PoC | 🔐 Encryption
🔗 Original article: https://github.com/honestcorrupt/-CVE-Proof-of-Concept-Airtel-Android-App-Insecure-Local-Storage-of-Sensitive-Data
Airtel Android app stores sensitive payment and user data unencrypted in local storage, exposing it to theft and privacy risks. PoC video shows how to access this data. CVE-2025-5154 reported. Fix: use AES-256 encryption and Android Keystore.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2024-39914/
CVE-2024-39914 is a critical unauthenticated command injection in FOG Project's export.php allowing remote code execution and persistent webshell deployment. Exploitation requires no authentication and can be mitigated by upgrading and input validation.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.cyberark.com/resources/threat-research-blog/is-your-ai-safe-threat-analysis-of-mcp-model-context-protocol
Thorough threat analysis of MCP reveals 13 vulnerabilities including tool poisoning, command injection, path traversal, and admin bypass, enabling data theft and remote code execution. Mitigations include code review, sandboxing, and strict user approvals.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://blog.koi.security/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-f0f8cf104d44
A critical flaw in Open VSX's auto-publishing workflow lets attackers steal privileged tokens during npm install, enabling full marketplace takeover and remote code execution on millions of developer machines.
deep valeBOT
🌐 Web | 🛡️ Security | 🎁 PoC
🔗 Original article: https://www.pynt.io/blog/api-era/demystifying-mcp-model-context-protocol-3-common-misconceptions
The blog explains MCP servers are executable code with inherent privileges, not just passive endpoints, and shows a PoC where a malicious MCP server exploits indirect client interactions to leak sensitive data, even when sandboxed.
deep valeBOT
🛡️ CVE | 🌐 Web | 🎁 PoC
🔗 Original article: https://github.com/skraft9/pfsense-security-research
Authenticated arbitrary file read in pfSense 2.8.0 via unsanitized dlPath parameter in diag_command.php allows low-privileged users to download sensitive files. CVE-2025-53392 with detailed PoC and mitigation advice.
deep valeBOT
🤖 AI/ML | 💣 RCE | 🎁 PoC | 🛡️ Security
🔗 Original article: https://www.synack.com/exploits-explained/the-ai-llm-hacking-cheatsheet/
A detailed cheatsheet on hacking LLMs using prompt injection, language tricks, bias exploitation, and backend attacks, with practical examples and testing resources.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/29th-june-threat-intelligence-report/
Critical RCE flaws in Cisco ISE, WinRAR directory traversal, IBM WebSphere serialization bug, and Firefox crashes enable full system compromise. Iranian APT spear-phishing and AI-evasion malware campaigns also detailed.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
Wing FTP Server RCE (CVE-2025-47812) exploits NULL byte injection in usernames to bypass authentication and inject Lua code into session files, enabling root-level remote code execution.
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption
Google's AppBound Cookie Encryption in Chrome was bypassed using COM hijacking and a Padding Oracle Attack, allowing low-privileged users to decrypt SYSTEM-DPAPI encrypted cookies and data.
deep valeBOT
🛡️ CVE | 📡 IoT | 🎁 PoC | 🌐 Web
🔗 Original article: https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
Critical Bluetooth vulnerabilities in Airoha SoC-based audio devices allow unauthenticated attackers in Bluetooth range to read/write memory, hijack paired phones, and eavesdrop on calls. Patches are pending; high-risk users should avoid affected devices.
deep valeBOT
💣 RCE | 🌐 Web | 💉 CSV | 🛡️ CVE
🔗 Original article: https://jineeshak.github.io/posts/Chaining-Directory-Traversal-and-CSV-Parser-Abuse-for-RCE-in-Django/
Critical RCE in Django app via directory traversal in file paths and CSV parser abuse, enabling overwriting of wsgi.py and arbitrary code execution.
🛡️ CVE | 🌐 Web | 🧩 MS-RPC | 🎁 PoC
🔗 Original article: https://securelist.com/no-auth-domain-information-enumeration/112629/
The blog reveals a new no-auth MS-RPC interface (IObjectExporter) allowing anonymous enumeration of domain controller network interfaces, reviving legacy null session risks despite existing mitigations.
deep valeBOT
🌐 Web | 🛡️ CVE | 🎁 PoC | 🧑💻 Enumeration
🔗 Original article: https://github.com/sud0Ru/NauthNRPC
NauthNRPC is a Python tool exploiting a Netlogon protocol flaw to enumerate Windows domain info and users without authentication, aiding penetration testing and security assessments.
🛡️ CVE | 🛠️ Tool | 🎁 PoC | 🕵️ Red Team
🔗 Original article: https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide
Guide on abusing Chrome Remote Desktop using an undocumented --pin parameter to automate setup and gain stealthy remote access with admin rights.
deep valeBOT
🌐 Web | 🛠️ Tool | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://trufflesecurity.com/blog/guest-post-how-i-scanned-all-of-github-s-oops-commits-for-leaked-secrets
Technique to find leaked secrets in deleted GitHub commits using GitHub Event API and GH Archive. An open-source tool automates scanning dangling commits, exposing serious risks from force-pushed 'deleted' commits.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://pastebin.com/mFM1a3CP
CVE-2025-45083 allows brute forcing of a 4-digit parental PIN in Ullu App and Web, bypassing parental controls and exposing restricted content due to missing rate limiting.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/lnk-malware/
In-depth analysis of Windows LNK malware techniques including CVE-2010-2568 exploits, malicious file execution, script execution via command-line arguments, and overlay content execution with detailed PoC examples.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
Critical RCE (CVE-2025-49596) in Anthropic's MCP Inspector allows attackers to exploit CSRF and a 0.0.0.0-day browser flaw to run code on developers' machines via malicious websites.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.token.security/blog/azures-role-roulette-how-over-privileged-roles-and-api-vulnerabilities-expose-enterprise-networks
Azure built-in roles have over-privileged read permissions allowing attackers to leak VPN pre-shared keys via a vulnerable GET API, enabling network access. Microsoft fixed the VPN key leak but not the over-privileged roles issue.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2025-29306/
CVE-2025-29306 is a critical unauthenticated RCE in FoxCMS 1.2.5 via unsafe PHP unserialize() usage, allowing remote system command execution.
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
Apache Tomcat CVE-2025-24813 and Apache Camel CVE-2025-27636/29891 enable remote code execution via crafted HTTP requests exploiting partial PUT and case-sensitive header filtering flaws. Immediate patching and network protections are essential.
🛡️ OAuth2 | 🌐 Web | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://www.praetorian.com/blog/gitphish-automating-enterprise-github-device-code-phishing/
GitPhish automates GitHub Device Code Phishing by dynamically generating device codes and deploying professional phishing pages, enabling scalable OAuth token theft attacks on GitHub accounts.
deep valeBOT
🛡️ Data Leak | 🌐 Web | 💰 Consumer Advice | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/pet-microchip-scams-and-data-leaks-in-the-uk/
UK pet microchip databases leak owner data via enumeration of sequential chip IDs and weak vet account security, enabling scams and privacy risks.
🛡️ Ad Fraud | 📱 Android | 🎁 PoC | 🛠️ Obfuscation
🔗 Original article: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-iconads/
IconAds is a sophisticated Android ad fraud operation using obfuscated code, hidden launcher activities, unique C2 domains, and Play Store signature checks to hide malicious apps that load out-of-context ads, generating massive fraudulent ad traffic.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/
SQL Injection in Catwatchful stalkerware's PHP API exposed 62k user accounts with plaintext passwords, enabling full takeover via the 'imei' parameter in an unauthenticated GET request.
deep valeBOT
🛡️ CVE | 🌐 Web | 🎁 PoC | 💣 RCE
🔗 Original article: https://medium.com/@terp0x0/how-i-found-my-first-critical-bug-bounty-unauthenticated-arbitrary-file-upload-lead-to-lfi-via-5f33c80fc44f
Critical unauthenticated arbitrary file upload leads to LFI via filename path traversal. Using curl, sensitive files like /etc/passwd were accessed remotely. PHP uploads do not execute, so no RCE was possible.
🛠️ Tool | 🌐 Web | 🎁 PoC
🔗 Original article: https://ad2001.com/blog/gdb-inside-device
Guide to root an Android Virtual Device and set up GDB with GEF inside it using Termux for fast local debugging, including environment setup and a buffer overflow PoC.
deep valeBOT
🛡️ CVE | 🌐 Web | 🎁 PoC | 🔐 IoT
🔗 Original article: https://cybersecuritynews.com/kia-ecuador-keyless-entry-systems/
KIA vehicles in Ecuador (2022-2025) use vulnerable keyless entry systems with fixed learning codes, enabling replay, brute force, and backdoor attacks. Researcher Danilo Erazo demonstrated exploits using the AutoRFKiller tool with SDR devices.
🛡️ CVE | 🌐 Web | 🎁 PoC | 💣 Memory Leak
🔗 Original article: https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
CVE-2025-5777 is a memory disclosure in Citrix NetScaler caused by uninitialized variable use when 'login' parameter lacks a value, leaking stack data via XML responses. The blog details exploitation, patch analysis, detection, and active in-the-wild attacks.
deep valeBOT
🌐 Web | 🛠️ Tool | 🤖 AI | 📱 Android
🔗 Original article: https://www.mobile-hacker.com/2025/07/07/vibe-hacking-with-nmap-using-android/
Vibe hacking combines AI-powered LLMs with Nmap on Android to automate network scanning, interpret results, and suggest exploits, enhancing mobile penetration testing and threat detection.
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/6th-july-threat-intelligence-report/
Critical vulnerabilities in Forminator WordPress, Citrix NetScaler, and Wing FTP Server enable remote code execution and data breaches. Multiple ransomware attacks and phishing campaigns highlight urgent security risks in July 2025.
deep valeBOT
🌐 Web | 💉 XSS | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/news/chunked-parsing-self-xss-http
The blog reveals a chunked HTTP parsing flaw enabling self-XSS attacks by injecting malicious scripts via manipulated chunk sizes, highlighting risks in HTTP/1.1 chunked transfer encoding handling.
deep valeBOT
💣 RCE | 🛠️ Tool | 🌐 Windows
🔗 Original article: https://github.com/RWXstoned/LdrShuffle
LdrShuffle enables stealthy Windows code execution by overwriting DLL EntryPoint pointers in loader data structures, redirecting execution without using common thread APIs, useful for stealthy injection and API proxying.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🧠 Learning
🔗 Original article: https://blog.himanshuanand.com/posts/discovered-a-libpng-vulnerability-11-years-after-it-was-patched/
Rediscovered a patched libpng integer overflow (CVE-2014-9495) causing heap buffer overflow by crafting a PNG with large width and bit depth. Demonstrates importance of input validation to prevent memory miscalculations.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
An initial access broker exploits leaked ASP.NET Machine Keys to execute malicious .NET assemblies in IIS memory via View State deserialization, enabling stealthy remote code execution and post-exploitation activities including privilege escalation and network reconnaissance.
deep valeBOT
🌐 Web | 🛡️ CVE | 🔍 Recon | 💥 Memory Leak
🔗 Original article: https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
CITRIXSESSION and PCoIP tokens with xxd/scriptsCookie header to bypass MFAhttp.favicon.hash:-1292923998,-1166125415 or org:YourOrg ssl:YourOrg html:Citrixkill icaconnection -all & kill pcoipConnection -all📡 IoT | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartphone-getting-rce-by-leveraging-a-companion-app.html
🛡️ CVE | 🔗 DLL Sideloading | 🔒 Privilege Escalation | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe
CVE-2025-1729 is a DLL sideloading privilege escalation in Lenovo’s TPQMAssistant.exe. A daily scheduled task runs the binary from the user-writable C:\ProgramData\Lenovo\TPQM\Assistant directory, allowing insertion of a malicious hostfxr.dll. When loaded, the DLL executes arbitrary code under the current user. If an administrator logs in before the next run, the malicious DLL executes in their session (medium integrity), enabling privilege escalation to SYSTEM via UAC bypass. Mitigation: update to TrackPoint Quick Menu v1.12.54.0 (UWP), which relocates the binary to a protected path and removes the vulnerable task. 🎁 PoC
deep valeBOT
🌐 Web | 🛡️ CVE | 🗒️ Info Disclosure | 🎁 PoC
🔗 Original article: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
CVE-2025-5777 is a high-severity memory disclosure in Citrix NetScaler ADC/Gateway that leaks up to 127 bytes of adjacent heap/stack memory via the /p/u/doAuthentication.do endpoint by sending a POST with only the login field. The nsppe parser reuses buffers without clearing all form data, causing an uninitialized pointer to be reflected and null-terminated in the HTTP response. Attackers can exfiltrate nsroot session tokens and plaintext credentials using curl or a simple Python polling script. Indicators include debug logs (ns.log) with non-printable characters and multiple active sessions per user. Mitigation requires patching to versions ≥ 14.1-43.56/13.1-58.32, terminating ICA/PCoIP sessions, and auditing using show ns runningConfig -withDefaults and diff.
🖥️ Active Directory | 🛠️ Tool | 🔑 Password Cracking | 📊 Audit
🔗 Original article: https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-audit-in-active-directory-ad/
ntdsutil.exe, vssadmin and Impacket secretsdump (remote/offline).impacket-smbserver and robocopy.-m 1000, -a 0, -r).🛡️ CVE | 🌐 Web | 💧 InfoLeak | 🔍 Shodan
🔗 Original article: https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
http.favicon.hash:-1292923998,-1166125415 or org:YourOrg ssl:YourOrg html:Citrix.kill icaconnection -all
kill pcoipConnection -all
🛡️ CVE | 💣 DLL Sideloading | 🖥️ Windows | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe
C:\ProgramData\Lenovo\TPQM\Assistant).hostfxr.dll from its folder, which is missing, enabling DLL sideloading.hostfxr.dll showing a message box confirms code execution on the next task run.C:\Program Files (x86)\Lenovo\TPQM\TPQMAssistant and removes the legacy Win32 task.📡 IoT | 📱 Mobile | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartphone-getting-rce-by-leveraging-a-companion-app.html
deep valeBOT
🛡️ CVE | 💣 RCE | ✉️ Email | 🎁 PoC
🔗 Original article: https://www.exploit-db.com/exploits/52356
CVE-2025-47176 is a high-severity RCE in Outlook’s SyncObject.Path parser. A Python PoC uses pywin32 to dispatch Outlook, create a MailItem with a malicious path (..\..\..\windows\system32\cmd.exe), and host an HTTP server that triggers path normalization via os.path.normpath, resulting in a shutdown /r /t 5. Alternatively, a crafted .prf (with OfflineAddressBookPath=.../...//...//windows/system32/cmd.exe) imported via OUTLOOK.EXE /importprf malicious.prf achieves the same effect without scripting. Test only in controlled environments.
🤖 Android | 💬 Telegram | 🦠 Malware | 💳 Financial
🔗 Original article: https://www.group-ib.com/blog/rise-of-qwizzserial/
Qwizzserial is a Kotlin-based Android SMS stealer spread via fake Telegram channels impersonating government and financial services. Using a Classiscam-style operation and Telegram bots, attackers auto-generate customized APKs that persistently request SMS/phone permissions, prompt for bank card and phone details, then intercept and zip SMS data. It flags balance-related messages using regex, issues USSD queries for SIM info, and exfiltrates data via Telegram Bot API. Later variants add NP Manager & Allatori obfuscation, battery-optimization bypass, and switch to HTTP gate servers (http://llkjllj.top) before relaying to Telegram. Over ~1,200 variants emerged, infecting ~100K devices in Uzbekistan and stealing at least US$62K. Prevention includes behavior-based detection of sideloaded SMS apps, user education, and avoiding untrusted APKs.
deep valeBOT
📱 Android | 💣 Tapjacking | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://taptrap.click/
startActivity() with overridePendingTransition() or ActivityOptions.makeCustomAnimation() and a custom animation (alpha 0.01, duration 3000ms) to hide the new screen.<br/>- Decoy UI elements in the malicious app align with hidden prompts’ controls, causing taps to confirm sensitive actions.<br/>- The app relaunches itself before the animation ends to conceal the hidden activity.<br/>- Analysis of 99,705 apps found 76.3% vulnerable; a 3s→6s off-by-one bug doubles the attack window.<br/>- Impact includes silent permission grants, device admin activation for remote wipe, and stealthy attacks on apps and websites.<br/>- Firefox (CVE-2025-1939) and Chrome (CVE-2025-3067) have patches; Android remains unpatched. Disable or reduce system animations to mitigate.🛡️ CVE | 💣 LPE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://github.com/Wh04m1001/CVE-2025-48799/
deep valeBOT
🛡️ CVE | 🌐 Web | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://github.com/win3zz/CVE-2025-5777
CVE-2025-5777 (CitrixBleed 2) is an out-of-bounds read in Citrix NetScaler ADC/Gateway’s authentication endpoint <code>/p/u/doAuthentication.do</code>. A malformed POST with <code>login</code> (no ‘=’) causes the server to leak ~127 bytes of uninitialized stack memory in the <InitialValue> XML tag. The Python3 PoC exploit.py uses aiohttp, colorama, regex extraction, and a custom hex-dump to automate memory leaks (dependencies: pip3 install aiohttp colorama). Leaked tokens and credentials enable session hijacking and MFA bypass. Mitigate by applying Citrix firmware CTX693420 (e.g., 14.1-43.56, 13.1-58.32+, 12.1-55.328+, 13.1-37.235+) and restricting malformed POSTs monitoring.
🖥️ Windows | 🛡️ CVE | 💣 LPE | 🎁 PoC
🔗 Original article: https://github.com/Wh04m1001/CVE-2025-48799
CVE-2025-48799 is a local Windows Update service privilege escalation on Windows 10/11 when Storage Sense is set to install apps on a secondary drive. By creating an NTFS junction from the install folder on, e.g., D:\WindowsApps to a protected directory like C:\Windows\System32\config, <code>wuauserv</code>—running as SYSTEM—will follow and delete that folder. A C++ PoC automates registry changes, junction creation, and AppX installation via PowerShell or COM, then plants a malicious DLL or executable in the deleted system folder. On load by a SYSTEM process, the attacker spawns a SYSTEM cmd.exe. Mitigation: reset Storage Sense, delete attacker-controlled junctions, and install Microsoft’s July 2025 patch.
deep valeBOT
🔍 Recon | 🌐 Web | 🛠️ Tool | 💰 Bug Bounty
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/recon-series-recap-reconnaissance-footprinting
deep valeBOT
🪟 Windows | 🗄️ Filesystem | ⚠️ Info Disclosure | 🎁 PoC
🔗 Original article: https://swarm.ptsecurity.com/buried-in-the-log-exploiting-a-20-years-old-ntfs-vulnerability/
Buried in the log: Exploiting a 20-Year-Old NTFS Vulnerability describes CVE-2017-11817, an NTFS driver flaw in Windows 7 and earlier that writes uninitialized kernel pool memory to the hidden $LogFile journal on volume mount. The bug originates from Ntfs!LfsRestartLogFile omitting a memset after ExAllocatePoolWithTag; Windows 8+ inserts this fix. Attackers can mount any NTFS volume and read $LogFile via raw disk access (e.g., dd or Win32 CreateFile/ReadFile) to extract ~7.5 KB of leaked kernel data. Researchers used bochspwn and WinDbg to identify the leak; public PoC and dump scripts on Packet Storm automate locating the “RSTR” records and extracting the 3800-byte buffers for forensic analysis.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://linz04.github.io/2025/06/20/CVE-2025-5959/
CVE-2025-5959 is a WebAssembly type confusion in V8 where the canonicalization compared only the type index, ignoring nullability bits. By performing a birthday attack on the 64-bit MurmurHash hashing of canonical types and permuting ref/ref null fields across >32-field structs, an attacker can create two distinct struct types (structA, structB) with identical canonical indices. A JavaScript PoC uses WasmModuleBuilder to store null in a nullable struct and then load it via a non-nullable struct, triggering a SIGSEGV. This primitive enables arbitrary read/write, OOB memory access, and potential sandbox escape. The patch adds a check for matching bitfield flags (is_equal_except_index) before index comparison in CanonicalType::Equals(). Update to the latest V8/Chrome release to mitigate this issue.
deep valeBOT
🌐 Web | 🔐 Auth Bypass | 💉 IDOR | 🎁 PoC
🔗 Original article: https://ian.sh/mcdonalds
McHire vulnerabilities summary: 1) A hidden “Paradox team members” login at https://www.mchire.com/signin accepts default credentials (123456:123456), granting admin access to internal workflows. 2) An IDOR in PUT /api/lead/cem-xhr allows attackers to enumerate lead_id values and retrieve full PII, candidacy history, and raw auth tokens for any applicant. PoC cURL demonstrates exploitation. Combined, these flaws exposed over 64 million records. Paradox.ai patched both issues within 24 hours.
📡 Hardware | 🔍 Reverse-engineering | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-exploiting-the-thermomix-tm5.html
Thermomix TM5 exploit: Reverse-engineered the TM5 main board, handled GPMIC-interleaved metadata to recover firmware and keys. Decrypted Cook Sticks (USB recipe modules) encrypted via AES-128-CBC, bypassed firmware anti-downgrade by tampering AES-EAX nonces, gained arbitrary code execution and persistence via rootfs patch and malicious firmware installation.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2025-27636/
CVE-2025-27636 is a remote code execution vulnerability in Apache Camel’s exec component due to case-sensitive header filtering. Affected versions: 3.10.0–3.22.3, 4.8.0–4.8.4, 4.10.0–4.10.1. Attackers can upload a malicious Camel XML route and send HTTP requests with mixed-case headers (e.g., CAmelExecCommandExecutable, CAmelExecCommandArgs) to execute OS commands. Patched in 3.22.4+, 4.8.5+, 4.10.2+. Mitigations: upgrade Camel, restrict endpoint access, normalize headers via WAF, and run as a non-root user.
🌐 Web | 🛡️ WAF | 💣 Bypass | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass
The blog reveals that Azure Front Door WAF’s default IP restriction variable RemoteAddr accepts X-Forwarded-For header values, enabling IP allowlist bypass by spoofing the header. A simple curl -H "X-Forwarded-For: allowed_ip" returns HTTP 200 despite a 403 policy. Attackers can automate enumeration of allowed IPs using Burp Suite Intruder by fuzzing the X-Forwarded-For header over a /16 in ≈40 minutes. Microsoft declined to change this behavior. Recommended fixes: switch to SocketAddr, strip or validate XFF, or use Application Gateway WAF.
🛡️ CVE | 💉 SQLi | 🌐 Web | 💣 RCE
🔗 Original article: https://fortiguard.fortinet.com/psirt/FG-IR-25-151
Unauthenticated SQL Injection in FortiWeb GUI (CVE-2025-25257)
' OR '1'='1-- to bypass login, use UNION SELECT to dump admin_users, or inject UPDATE statements for password resets and RCE. Example with curl and automation via sqlmap.
deep valeBOT
🛠️ Tool | 📡 Wireless | 📱 Android | 🎁 PoC
🔗 Original article: https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305
nexutil and ifconfig in Hijacker settings.kalilibnexmon.so) to tools like wifite for injection without external adapters.🛡️ Anti-analysis | 📦 DLL Sideloading | 💣 Obfuscation | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/
📱 Android | 🔗 Deep Link | 💣 App Impersonation | 🎁 PoC
🔗 Original article: https://medium.com/@frankheat/how-malicious-android-apps-can-impersonate-yours-using-deep-links-8eac7f245aaf
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
🌐 Web | 💣 XXE | 🛠️ lxml | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 💰 Ransomware
🔗 Original article: https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-diversion-and-ransomware-on-an-sftp-only-server/
Sil3ncer Deployed demonstrates how attackers exploited an outdated Telerik UI AsyncUploadHandler (v2016.1.225.45) via CVE-2019-18935 to gain RCE on Windows Server 2012, bypass Defender using PowerShell exclusions, establish persistence with a typo-named admin and registry backdoor, covertly re-enter through Ngrok tunnelling and RDP loopback, deploy custom Sil3ncer ransomware (using a JSON config to encrypt files with a .sil3ncer extension and drop Telegram-based ransom notes), and erase tracks via cleanup scripts and account deletion. Key mitigations include patching third-party components, hardening logging, alerting on suspicious commands, blocking tunnelling domains, and enforcing secure RDP access.
deep valeBOT
🌐 Web | ⛓️ Supply Chain Attack | 💣 RCE | 🎁 PoC
🔗 Original article: https://patchstack.com/articles/critical-malware-found-in-gravityforms-official-plugin-site/
deep valeBOT
🌐 Web | 💉 HTML Injection | 💣 SSRF | ☁️ AWS
🔗 Original article: https://medium.com/@0x_xnum/how-i-escalated-simple-html-injection-to-ssrf-via-pdf-rendering-682ea94b3194
title field of a JSON-based certificate generator on learn.target.com.<br/>- Injected <iframe> tags rendered server-side via wkhtmltopdf/Puppeteer, fetching external URLs.<br/>- Confirmed SSRF by observing DNS/HTTP callbacks (Burp Collaborator, nc -lvp 8000).<br/>- Accessed AWS IMDSv1 at 169.254.169.254 endpoints to leak IAM role name and temporary credentials.<br/>- High-severity impact: remote compromise of cloud resources; awarded $1,000.
deep valeBOT
🌐 Web | 🛡️ CVE | ⛓️ SSRF | 🎁 PoC
🔗 Original article: https://karmainsecurity.com/KIS-2025-04
/rest/v10/css/preview allows injection of arbitrary LESS directives.@import (inline) to read local files or perform SSRF.🛠️ Tool | 🔍 Fuzzing | 🎁 PoC | 🌐 MS-RPC
🔗 Original article: https://www.incendium.rocks/posts/Revisiting-MS-RPC-Vulnerability-Research-automation/
💣 Backdoor | 🛡️ DLL Sideloading | ☁️ Serverless C2 | 🚨 Cloud Exfiltration
🔗 Original article: https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/
New HazyBeacon Windows backdoor abuses DLL sideloading in mscorsvw.exe and covert C2 via AWS Lambda URLs. It downloads 7z, file collector, and custom uploaders to gather targeted documents, archive and split them, and attempts exfiltration via Google Drive and Dropbox before cleaning up.
📱 Android | 🐧 Termux | 🔓 Privilege Escalation | 🎁 PoC
🔗 Original article: https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/
ps, netstat, and logcat.<br/>- Use Shizuku-enabled apps (Android Debloater, NetGuard, WiFiList, etc.) for system customization, network control, and security auditing.🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
ClickFix is a clipboard-hijacking social engineering technique using JavaScript to inject malicious commands into Win+R/Win+X dialogs, bypassing phishing controls. 2025 campaigns distributing NetSupport RAT, Latrodectus, and Lumma Stealer used ClearFake infrastructure to pastejack PowerShell or MSHTA commands, sideload loaders (msvcp140.dll, libcef.dll) and AutoIt droppers for RCE and persistence. Hunting involves parsing RunMRU entries, monitoring Security Event IDs 4688/4663, and correlating clipboard paste telemetry.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 .NET | 🎁 PoC
🔗 Original article: https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/
CVE-2025-5333 is a critical unauthenticated RCE in Broadcom Altiris IRM’s legacy .NET Remoting endpoint (tcp://host:4011/IRM/HostedService) due to insecure deserialization (TypeFilterLevel=Full). Discovered via PowerShell enumeration and dnSpy decompilation; exploited with James Forshaw’s ExploitRemotingService tool to invoke arbitrary methods (e.g., directory listing). Mitigations include closing port 4011, clearing IRM_HostedServiceUrl, restarting the service, and upcoming localhost-only binding.
deep valeBOT
🌐 eSIM | 💉 Type Confusion | 🛠️ Toolkit | 🎁 PoC
🔗 Original article: https://security-explorations.com/esim-security.html
Security Explorations exploited a Java Card VM type-confusion flaw in Kigen eUICC to gain arbitrary memory R/W, extract the GSMA ECC private key, and download plaintext eSIM profiles via SMS-PP OTA APDUs. Profiles were modified, cloned across eUICCs, and used to hijack calls/SMS (including OTPs). A custom toolkit automates discovery and exploitation. Kigen’s partial patch and GSMA TS.48 update mitigate only test-profile installation but leave core VM flaws unaddressed.
🛠️ Tool | 📡 IoT | 🐍 Python | 🌐 Network
🔗 Original article: https://github.com/7h30th3r0n3/Raspyjack
RaspyJack is an offensive network toolkit for Raspberry Pi Zero 2 W with a Waveshare 1.44″ LCD HAT. It offers interactive Nmap scans, one-click reverse shells, credential-capture via Responder/ARP MITM/DNS spoofing, on-device log/file browsing, system controls and extensibility through custom Python scripts.
⚙️ Firmware | 🖥️ Hardware | 🛡️ BIOS | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/
deep valeBOT
📱 Mobile | 🔒 Evasion | 🛠️ Obfuscation | 📶 C2
🔗 Original article: https://zimperium.com/blog/konfety-returns-classic-mobile-threat-with-new-evasion-techniques
Konfety is an Android malware that evades analysis by abusing ZIP header flags (fake encryption, unsupported BZIP), uses dual-app deception (identical package names), dynamically loads an encrypted secondary DEX via DexClassLoader, hides its icon, applies geofencing, and leverages the CaramelAds SDK plus browser redirects for ad fraud and payload delivery.
📡 RPC | 🛠️ Tool | 🧪 Fuzzing | 📈 Analysis
🔗 Original article: https://github.com/warpnet/MS-RPC-Fuzzer
MS-RPC-Fuzzer is a PowerShell module that leverages NtObjectManager to dynamically inventory and fuzz Microsoft RPC interfaces. It supports static and dependency-sorted fuzzing, logs each call to identify crashes, outputs results in allowed/denied/error JSON, and imports data into Neo4j for graph-based vulnerability analysis.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-space-in-mozilla-firefox
CVE-2025-4919 is a critical JIT bug in Firefox’s IonMonkey. A flawed bounds-check elimination misclassifies wrapping additions in <code>Modulo</code> math space, merging checks on (i+5)|0 and (i+10)|0 over a 2^32-length Uint8Array, enabling controlled OOB access. A PoC reads/writes OOB, then uses standard addrOf/fakeObj primitives and WASM shellcode injection to achieve RCE. Patched in Firefox 138.0.4.
⚙️ RPC | 🛠️ Tool | 🔍 Fuzzing | 🎁 PoC
🔗 Original article: https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/
Automates MS-RPC research by using NtObjectManager in PowerShell to parse IDL definitions, dynamically generate and bind RPC clients over named pipes with NTLM encryption, invoke methods like EfsRpcOpenFileRaw to obtain context handles, and drive a custom MS-RPC-Fuzzer PoC to randomize parameters and visualize results in Neo4j for efficient vulnerability triage.
🛠️ Tool | 🌐 Web | 🤖 AI | 🎁 PoC
🔗 Original article: https://portswigger.net/research/repeater-strike-manual-testing-amplified
Repeater Strike is an experimental AI-powered Burp Suite extension that ingests a single Repeater test—identifying parameters and IDOR-style flaws via AI—then auto-generates and mutates regex checks and retroactively scans your entire proxy history to uncover related vulnerabilities with minimal manual effort.
deep valeBOT
🛡️ CVE | 💣 RCE | 🔐 NTLM | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html
CVE-2025-33073 is a Windows SMB client flaw allowing remote-authenticated SYSTEM execution by abusing NTLM and Kerberos reflection via serialized SPNs. Using tools like PetitPotam, dnstool, ntlmrelayx, and krbrelayx, attackers force NTLM local calls or Kerberos AP-REQs to relay the SYSTEM token. Microsoft’s patch rejects serialized SPNs and enabling SMB signing prevents the exploit.
deep valeBOT
🌐 Web | 🛡️ CVE | 🔐 Auth | ⚠️ Account Takeover
🔗 Original article: https://patchstack.com/articles/account-takeover-in-password-policy-manager/
Password Policy Manager ≤2.0.4 has an unauthenticated account takeover (CVE-2025-31019) via the moppm_pass2login_redirect hook, which logs in any user_id when given a valid nonce. Extract the nonce from the reset form and replay it with a target ID to gain admin access. v2.0.3’s fix was bypassable; v2.0.5 binds session keys to user IDs. Upgrade now.
deep valeBOT
🛠️ Tool | 🎁 PoC | 🔐 Active Directory | 🗝️ Kerberos
🔗 Original article: https://github.com/Semperis/GoldenDMSA
Golden dMSA is a C#/.NET tool exploiting a new attack against Active Directory managed service accounts by extracting the DC’s KDS Root Key, enumerating dMSA/gMSA SIDs and ManagedPasswordIDs, and offline computing valid Base64 passwords. It supports enumeration, GUID wordlist generation, offline computation, and conversion to NTLM/AES hashes for stealthy lateral movement.
🔑 KDS Root Key | 🔒 Auth Bypass | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
deep valeBOT
📱 iOS | 🤖 Android | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/
A remote input injection flaw (CVE WLB-2025060015) in the Air Keyboard iOS app due to an unauthenticated TCP listener on port 8888 allows any local attacker to inject keystrokes. The Android client uses an AES-ECB handshake on port 55535 but crashes on malformed payloads, enabling DoS. Devices can be found via nmap or adb netstat. Users should uninstall the iOS app, restrict Wi-Fi access, monitor open ports, and update promptly.
📱 Mobile | 💣 RCE | 🔒 TLS | 🎁 PoC
🔗 Original article: https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/
OKHttpDownload.buildTrustManagers() disables TLS validation, enabling MITM attacks.<br/>- The app uses a hardcoded DES key/IV in RemoteServiceProxy to encrypt update metadata, allowing decryption and re-encryption.<br/>- Plugins (ZIP with libscan.so) are downloaded without authentication, unzipped without MD5 or signature checks, and loaded via dlopen() for arbitrary code execution.<br/>- A PoC using iptables/mitmproxy and a malicious libscan_x64.so achieves persistent RCE on Android and OBD-II vehicle compromise.
deep valeBOT
🎭 Social Engineering | 🛠️ Tool | ⛓️ Virtualization
🔗 Original article: https://trustedsec.com/blog/hiding-in-the-shadows-covert-tunnels-via-qemu-virtualization
123.out), edited bootlocal.sh and filetool.lst for persistence, and randomized hostnames to conceal tunnels.🛡️ CVE | 💣 RCE | 🧰 Deserialization | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2024-12029/
CVE-2024-12029 is a critical (9.8) deserialization vulnerability in InvokeAI 5.3.1–5.4.2. The /api/v2/models/install endpoint unsafely uses PyTorch’s torch.load() on attacker-supplied .ckpt files, enabling unauthenticated RCE via a crafted __reduce__ payload. Exploitation involves generating a malicious checkpoint, hosting it, and POSTing to the API. A Metasploit module automates this. Fixed in ≥ 5.4.3 by enabling default model scanning and supporting weights_only=True.
deep valeBOT
🔄 NTLM Relay | 🗄️ SQL Server | 🛠️ PXEthief | 🎁 PoC
🔗 Original article: https://specterops.io/blog/2025/07/15/id-like-to-speak-to-your-manager-stealing-secrets-with-management-point-relays/
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://opzero.ru/en/press/101-chrome-exploitation-part-0-preface/
101 Chrome Exploitation — Part 0: Preface presents a three-stage full-chain exploit for Chrome 130, including WebAssembly type confusion (CVE-2025-0291), V8 sandbox escape (Issue 379140430), and OS sandbox abuse via Mojo startDragging (CVE-2024-11114), with complete code, architecture diagrams, PoCs, and environment setup for full code execution.
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501
Critical RCE in SharePoint: A crafted POST to the WebPart editing endpoint abuses <code>MSOTlPn_Uri</code> to load a malicious ASCX control and <code>MSOTlPn_DWP</code> to inject ASP.NET directives plus a gzipped Base64 DataTable into an <code>ExcelDataSet</code> control. Unsafe deserialization triggers full remote code execution. 🎁 PoC
📱 Android | 💣 Task Hijacking | 🎁 PoC | 🛡️ Mitigation
🔗 Original article: https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md
This blog post describes a task hijacking vulnerability in the Caller ID Android app caused by a default taskAffinity misconfiguration. A malicious app can declare an activity with the victim’s package name as its taskAffinity, allowing it to hijack the task stack, display phishing UIs, and steal credentials. It includes reproduction steps, attacker manifest and code, a PoC GIF, impact analysis, and mitigation by setting taskAffinity to an empty string.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://research.eye.security/sharepoint-under-siege/
deep valeBOT
📱 Android | 💰 Ad Fraud | 🔑 Credential Theft | 🛠️ Tool
🔗 Original article: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft/
Trustwave SpiderLabs dissects an Android malware cluster delivering off-market APKs that abuse Android permissions to enable click fraud, credential harvesting, sandbox evasion, AES-ECB Base64-encoded C2 configs, crash-report fallback exfiltration, and signature bypass via ApkSignatureKillerEx for stealth.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
Unit 42 reports active exploitation of SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771 on Server 2016, 2019 and Subscription Edition. Attackers bypass MFA/SSO, exfiltrate web.config via debug_dev.js, deploy ASPX web shells (spinstall0.aspx) with Base64 PowerShell for ViewState key theft, and maintain persistence. PoCs available on GitHub. Unit 42 provides Cortex XDR XQL queries for detection. Immediate disconnection, patching, key rotation and IR engagement are recommended.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://github.com/soltanali0/CVE-2025-53770-Exploit
PoC Python exploit for CVE-2025-53770 targeting SharePoint ToolPane.aspx WebPart injection. Authenticated users inject a GZIP-compressed serialized .NET gadget chain via the MSOTlPn_DWP parameter, causing unsafe deserialization (LosFormatter, BinaryFormatter, ObjectDataProvider) and RCE. Includes exploit.py, ysoserial.net instructions, payload structure, and example usage.
deep valeBOT
📱 Android | 🛡️ Spyware | 🛠️ Tool | 🌐 Infrastructure
🔗 Original article: https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware
DCHSpy is a modular Android surveillanceware by Iranian APT MuddyWater, disguised as VPN/banking apps (e.g., <code>starlink_vpn(1.3.0)-3012.apk</code>) and deployed via Telegram. It collects accounts, contacts, SMS, files, location, call logs, audio, photos, and WhatsApp data by loading dynamic modules and injecting hooks into Android APIs. Harvested data is compressed, AES-encrypted with a C2-supplied password, and exfiltrated via SFTP or HTTP to actor-controlled servers (e.g., <code>it1.comodo-vpn.com:1953</code>). Shared infrastructure reuse underscores high sophistication and severe espionage impact.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | ⛓️ Chain
🔗 Original article: https://bishopfox.com/blog/sitecore-experience-platform-vulnerabilities-critical-update-needed-for-versions-10-1-to-10-3
Sitecore Experience Platform 10.1–10.3 contains three critical, chained vulnerabilities—CVE-2025-34509 (hardcoded ServicesAPI credential), CVE-2025-34510 (ZIP slip path traversal), and CVE-2025-34511 (unrestricted PowerShell file upload)—that allow unauthenticated attackers to gain a session, overwrite files, and execute arbitrary code. Upgrading to 10.4 or applying Sitecore’s Security Hardening Guide mitigates these issues.
🛡️ CVE | 💣 LPE | 💉 XXE | 🎁 PoC
🔗 Original article: https://swarm.ptsecurity.com/the-guest-who-could-exploiting-lpe-in-vmware-tools/
deep valeBOT
🛠️ Tool | 🤖 LLM | 🔓 Deobfuscation | 🐍 Python
🔗 Original article: https://www.mobile-hacker.com/2025/07/22/deobfuscating-android-apps-with-androidmeda-a-smarter-way-to-read-obfuscated-code/
Androidmeda is a Python tool that uses large language models to deobfuscate Android decompiled Java code by renaming variables, reconstructing control flow, injecting comments, and generating a JSON vulnerability report. Install via git clone and pip3 install -r requirements.txt, decompile with jadx, then run python3 androidmeda.py specifying --llm_provider and --llm_model. Supports local (LLaMA, Mistral) and API (GPT-4, Gemini, Claude). Case study on Crocodilus malware shows drastic reduction in analysis time.
deep valeBOT
🌐 Web | 🛡️ CVE | 🔒 Broken Access Control | 🐞 Account Takeover
🔗 Original article: https://patchstack.com/articles/account-takeover-vulnerability-affecting-over-400k-installations-patched-in-post-smtp-plugin/
Broken Access Control in Post SMTP ≤ 3.2.0 (CVE-2025-24000) let any logged-in user call REST endpoints to read full email logs and resend messages, enabling Subscriber-level attackers to extract admin password reset links and takeover sites. Patched in v3.3.0 by adding a current_user_can('manage_options') check. Upgrade now.
deep valeBOT
🌐 IPv6 | 💉 NDP | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.exploit.org/caster-legless/
deep valeBOT
📱 Mobile | 💣 Malware | 🎣 Phishing | 🛡️ Defense Evasion
🔗 Original article: https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign
Zimperium zLabs exposed the SarangTrap mobile extortion campaign using 250+ Android APKs and 88 SEO-optimized phishing domains to deliver spyware. It employs an invitation-code C2 gating mechanism to evade dynamic analysis, then prompts for SMS*, contacts and storage permissions, harvesting device IDs, contacts, images (via Luban) and SMS. An iOS variant uses a deceptive config profile sideload for access. Newer Android samples omit SMS permissions but still exfiltrate texts. Full IOCs in the GitHub repo.
deep valeBOT
📡 IoT | 💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://blog.trailofbits.com/2025/07/25/exploiting-zero-days-in-abandoned-hardware/
Exploiting zero days in abandoned hardware: Trail of Bits exploited EOL IoT devices—Netgear WGR614v9 via UPnP auth bypass, buffer overflows, and novel bashsledding NOP sled for RCE; and Bitdefender Box v1 via firmware downgrade and md5 parameter command injection to inject SSH keys for persistent root. Utilized binwalk, unblob, QEMU, and SPI flash extraction. 🎁 PoC
deep valeBOT
📱 Android | ⚙️ IPC | 🔍 Enumeration | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/android-services-101/
Android Services run background tasks accessible via IPC; AIDL services lack built-in permission checks. Enumerate with service list and brute-force service call to discover methods. Reverse-engineer vendor JARs (e.g., mediatek-services.jar) to map transaction codes in onTransact(). Identify unchecked methods like startMonitorProcessWithUid() (transaction 8) to trigger kernel-level Netlink actions and log via adb logcat.
🌐 Web | 🛡️ CVE | 💉 XXE | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2025-27136/
🛡️ CVE | 💣 RCE | 📦 Docker | 🎁 PoC
🔗 Original article: https://www.thezdi.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability
An unsafe deserialization in Cisco ISE’s enableStrongSwanTunnel API (CVE-2025-20281) allows unauthenticated attackers to inject root commands. By abusing Java 8’s exec(String) tokenization with ${IFS} and escaping a privileged Docker container via cgroup user-mode helpers, the exploit achieves full host root shell.
deep valeBOT
🛠️ Tool | 🔍 Recon | ☁️ ADWS | ⛓️ LDAP
🔗 Original article: https://specterops.io/blog/2025/07/25/make-sure-to-use-soapy-an-operators-guide-to-stealthy-ad-collection-using-adws/
msDs-AllowedToActOnBehalfOfOtherIdentity), and BOFHound integration for BloodHound ingestion.🌐 Web | 📧 Email Security | 🔡 Unicode | 🎯 Phishing
🔗 Original article: https://unit42.paloaltonetworks.com/homograph-attacks/
deep valeBOT
🛠️ Tool | 💣 RCE | 🎁 PoC | 🛡️ CVE
🔗 Original article: https://github.com/irsdl/ysonet
YSoNet is a fork of ysoserial.net that generates malicious .NET serialized payloads for unsafe deserialization. It supports multiple formatters (BinaryFormatter, Json.NET, XAML, MessagePack, etc.) and dozens of gadget chains (TypeConfuseDelegate, ActivitySurrogateSelector, DataSetOldBehaviour, ObjectDataProvider, PSObject, etc.). Install or build from source, then run ysonet.exe <Gadget> <Command> to emit a serialized blob. Useful for academic research and red-team testing of RCE in .NET applications.
deep valeBOT
🛠️ Tool
🔗 Original article: https://adaptix-framework.gitbook.io/adaptix-framework/changelog-and-updates/v0.6-greater-than-v0.7
run requirements, and rev2self token revert.
deep valeBOT
📱 Mobile | 💣 Trojan | 🖥️ RAT | 🎁 PoC
🔗 Original article: https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/
📱 Android | 💣 Banking Trojan | 🛡️ Malware Analysis | 🎁 PoC
🔗 Original article: https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study
ToxicPanda is an Android banking Trojan targeting Portuguese and Spanish users. It uses TAG-124 TDS for distribution, abuses Accessibility services to deploy WebView overlays over banking apps, implements a predictable monthly DGA with sequential TLD cycling, evades sandboxes via anti-emulation checks, encrypts C2 traffic (AES/ECB, DES/CBC), and persists via dynamic broadcast receivers. Removal requires ADB. 🎁 PoC and IOCs are available on GitHub.
deep valeBOT
🛠️ Tool | 🌐 Web | 💉 SQLi
🔗 Original article: https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/
SQLMap is a Python-based CLI tool that automates detection and exploitation of SQL Injection vulnerabilities. It tests dynamic URL parameters with Boolean/time-based/error-based payloads, parses responses, and enumerates DBMS objects using commands like --dbs, --tables, --columns, and --dump. Supports MySQL, PostgreSQL, Oracle, SQLite, and offers custom headers (--headers), session cookies (--cookie), authenticated scans (--auth-cred), and proxy integration (--proxy). Embed SQLMap in CI/CD or pentests for continuous security validation within authorized scopes.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-dread-sonicwall-sma100-cve-2025-40596-cve-2025-40597-and-cve-2025-40598/
sscanf into a 0x800-byte stack buffer.__sprintf_chk with size -1 into a 0x80-byte heap chunk.state parameter unsanitized in radiusChallengeLogin.
deep valeBOT
🌐 Web | 🛠️ Tool | 💣 RCE | 🔒 Malware
🔗 Original article: https://research.checkpoint.com/2025/jsceal-targets-crypto-apps/
JSCEAL is a modular, multi-stage malware campaign that uses paid malvertising to deliver a WIX MSI installer, which spins up a localhost HTTP listener (port 30303) via CustomActions.dll. Two JavaScript files on a fake landing site (primary.js, worker.js) drive WMI queries and scheduled-task deployment. A PowerShell backdoor fingerprints the host and, if approved, downloads a Node.js runtime plus a Brotli-compressed, obfuscated .jsc payload. JSCEAL then establishes a tRPC C2, installs a malicious HTTPS proxy for Man-in-the-Browser thefts, and performs RAT, Puppeteer automation, and wallet manipulation.
📡 Telecom | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/
The Covert Operator's Playbook analyzes CL-STA-0969's 2024 campaign against global roaming infrastructure. The actors gained SSH access via brute-force, deployed a PAM backdoor (AuthDoor), leveraged GTP-, ICMP- and DNS-based covert channels (GTPDoor, EchoBackdoor, NoDepDNS), used an SGSN emulator for GTP tunneling, and installed ChronosRAT. They escalated privileges with DirtyCow (CVE-2016-5195), PwnKit (CVE-2021-4034) and sudo overflow (CVE-2021-3156), set up reverse SSH tunnels over port 53, and evaded detection through log tampering, process masquerading and SELinux disabling. Open-source tools FScan, Responder, Microsocks, FRP and ProxyChains supported their operation.
deep valeBOT
🛡️ Social Engineering | 💉 Credential Harvesting | ✉️ BEC | 🤖 AI
🔗 Original article: https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/
deep valeBOT
🌐 Web | 🛡️ CVE | ↔️ Path Traversal | 🗑️ File Deletion
🔗 Original article: https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/
Litho Theme ≤ 3.0 contains an unauthenticated AJAX file-deletion flaw (CVE-2025-49879) in its custom font removal handler. Lack of nonce, capability checks, and sanitization of the fontfamily parameter allows path traversal (e.g. ../../wp-config.php), leading to arbitrary file deletion and site takeover. Upgrade to Litho 3.1 to enforce authentication, CSRF protection, and input sanitization.
deep valeBOT
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html
Laravel APP_KEY Leakage Analysis: Examination of how Laravel’s AES-256-CBC + HMAC encryption and default decrypt() behavior (unserialize) lead to remote code execution when APP_KEY is exposed. Three CVEs (Invoice Ninja CVE-2024-55555, Snipe-IT CVE-2024-48987, Crater CVE-2024-55556) are dissected with full PoCs, and large-scale APP_KEY brute-forcing using Shodan, laravel-crypto-killer and the optimized nounours tool demonstrates 1.5 billion tries/sec.
deep valeBOT
📡 RFID | 🔋 Power | 🛠️ Tool | 🔧 Hardware Hacking
🔗 Original article: https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together
🌐 Web | 🛡️ CVE | 🔐 Info Disclosure | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2025-30208/
CVE-2025-30208 is a medium-severity (CVSS 5.3, EPSS 75.83 %) arbitrary file read in Vite’s dev server. Attackers append ?import&raw?? or ?raw?? to an @fs URL to bypass the allow-list and retrieve any readable file as an ES module export. Affected versions are < 4.5.10, 5.4.15, 6.0.12, 6.1.2, 6.2.3; patch immediately and restrict server exposure. 🎁 PoC
🛠️ Tool | 🔐 NTLM | 🔒 TLS | 🌐 MSSQL
🔗 Original article: https://sensepost.com/blog/2025/a-journey-implementing-channel-binding-on-mssqlclient.py/
Extended Impacket's mssqlclient.py to support SQL Server EPA by implementing Channel Binding Token (CBT) via the tls-unique method, rewriting STARTTLS with Python’s ssl module, reverse-engineering SQLCMD’s NTLM-over-TDS traffic by exporting private keys and disabling TLS 1.3, enabling successful authentication under EPA.
🤖 AI | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/
Trail of Bits releases pajaMAS, a PoC suite demonstrating six vectors—malicious environments, tools, memory poisoning, lethal trifecta, cycles, and URL anchors—for hijacking multi-agent systems via inter-agent control-flow exploitation to achieve RCE and data exfiltration. Key defenses include privilege separation, taint tracking, session hygiene, tool allowlisting, and orchestration-layer validation.
deep valeBOT
🛡️ CVE | 🌐 DNS | 🔗 HTTP | 🛠️ Tool
🔗 Original article: https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/
🛠️ Tool | 📡 Ansible Tower | 🕵️ Enumeration | 🔗 BloodHound
🔗 Original article: https://github.com/TheSleekBoyCompany/AnsibleHound
AnsibleHound is a Go-based BloodHound collector for Ansible Tower that uses a Read-only API token to enumerate organizations, inventories, hosts, job templates, projects, credentials, users and teams via the Tower REST API, converting them into a custom BloodHound graph (<code>AT*</code> nodes and <code>AT*</code> edges) for attack-path visualization.
deep valeBOT
📱 Android | 🦠 Malware | 🛠️ Tool | 🌐 Web
🔗 Original article: https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat
PlayPraetor is an Android RAT that abuses Accessibility Services to automate on-device fraud. It maintains resilient C2 via HTTP/S heartbeats, WebSocket (port 8282) and RTMP (port 1935), executes 52 dynamic commands for overlays and data harvesting, exfiltrates via HTTP APIs, and features a multi-tenant Chinese C2 panel with a built-in phishing page builder. Over 11 000 devices infected globally.
deep valeBOT
📱 Android | 💣 Trojan | 🔍 Obfuscation | 🔒 C2
🔗 Original article: https://zimperium.com/blog/behind-random-words-doubletrouble-mobile-banking-trojan-revealed
DoubleTrouble is an Android banking trojan hidden in <code>res/raw</code> using JSONPacker obfuscation. It tricks users into granting Accessibility Services, then steals credentials via PatternLockView/PinLockView overlays, records the screen with MediaProjection/ImageReader, blocks apps, logs keystrokes through Accessibility events, and executes 50+ C2 commands over a custom TLS channel. Zimperium’s MTD and zDefend detect both variants. IOCs on GitHub.
🌐 IPv6 | 🛡️ MITM | 🐍 Scapy | 🎁 PoC
🔗 Original article: https://habr.com/ru/articles/930526/
Practical IPv6 LAN Attacks: Explains fe80:: link-local and ff02:: multicast for NDP/SLAAC, passive sniffing with a Scapy Python script, RA spoofing via custom script with routerlifetime and Preference flags, system tuning (sysctl, ip6tables), RDNSS DNS injection, DHCPv6 spoofing with mitm6, and mitigations (RA Guard, DHCPv6 Guard, ND Inspection). Includes complete code and commands for stealthy MITM.
deep valeBOT
📱 Android | 👾 Malware | 🔒 Phishing | ⛏️ Crypto-mining
🔗 Original article: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto/
McAfee Labs uncovered an Android malware that uses phishing sites to side-load a two-stage XOR-encrypted DEX dropper, then dynamically loads a fraudulent banking UI to harvest card details via HTTP POST. A manifest-declared FirebaseMessagingService triggers download and execution of an encrypted native .so via ProcessBuilder (XMRig args) to stealthily mine Monero. IOCs include specific APK SHA-256 hashes, phishing domains, and FCM account ID.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/
Two critical stack-based memory corruption bugs (CVE-2025-23310 & CVE-2025-23311, CVSS 9.8) in NVIDIA Triton ≤ 25.06 enable crashes via HTTP chunked transfer encoding by inflating libevent evbuffer segments and overflowing an <code>alloca()</code>-based stack buffer. A Python PoC sends thousands of 6-byte chunks (~3 MB) to trigger a segmentation fault. Patch v25.07 replaces <code>alloca()</code> with <code>std::vector</code> inside try/catch and adds regression tests.
deep valeBOT
🛡️ CVE | 💻 IDE | 💣 RCE | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/
Cursor IDE’s MCP trust model (CVE-2025-54136) can be abused: an attacker commits a benign .cursor/rules/mcp.json, gains one-time approval, then swaps in malicious commands (e.g., a reverse shell) without further prompts, achieving persistent RCE. A PoC demonstrates continuous backdoor execution on IDE load. Upgrade to Cursor 1.3 to enforce re-approval on all MCP changes.
☁️ AWS | 🔐 SSM | 🌐 Exfiltration | 🛠️ Tool
🔗 Original article: https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/
Use AWS SSM to establish a port-forwarding tunnel from an EC2 instance to your local machine, serve files via a Python HTTP server, securely compress and encrypt with 7z, and tunnel internal services like Nessus without opening inbound ports.
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/
Unit 42 links Microsoft’s Storm-2603 to CL-CRI-1040, revealing Project AK47—a toolkit comprising DNS/HTTP backdoors (AK47C2), X2ANYLOCK ransomware, DLL side-loading loaders, and supporting utilities—deployed via ToolShell exploits against SharePoint CVEs (49704, 49706, 53770, 53771) for RCE and double-extortion campaigns.
deep valeBOT
💣 Privilege Escalation | 🛠️ Tool | 🎁 PoC | 🪟 Windows
🔗 Original article: https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/
BadSuccessor abuses delegated Managed Service Accounts in Windows Server 2025 to escalate privileges in Active Directory. By tampering with dMSA attributes (msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState), attackers can assume Domain Admin rights. Enumeration and exploitation are automated via PoC tools (SharpSuccessor, BadSuccessor.ps1, NetExec), and post-exploitation uses Rubeus. Detection relies on Windows event IDs (5137, 5136, 2946, 4662) and Unit 42 XSIAM hunting queries.
deep valeBOT
🌐 Web | 🛡️ CVE | 🐘 PHP | 💣 RCE
🔗 Original article: https://patchstack.com/articles/critical-vulnerability-impacting-over-100k-sites-patched-in-everest-forms-plugin/
deep valeBOT
🤖 AI | 💉 Prompt Injection | 🔒 Backdoor | 🎁 PoC
🔗 Original article: https://blog.trailofbits.com/2025/08/06/prompt-injection-engineering-for-attackers-exploiting-github-copilot/
<picture> tag within a GitHub Issue.<br/>- Copilot is tricked into inserting a malicious wheel URL in uv.lock, installing a backdoor that executes bash commands via the X-Backdoor-Cmd header for RCE. 🎁 PoC🌐 Web | 🛠️ Tool | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://portswigger.net/research/http1-must-die
deep valeBOT
🦠 Infostealer | 🔒 Encryption | 🛠️ Tool | 💻 Process Hollowing
🔗 Original article: https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/
Three phishing-driven chains use obfuscated JS/WSF downloaders to fetch a dual-layer encrypted PowerShell payload that drops a ConfuserEx-protected VB6 DarkCloud Stealer. Analysts bypass obfuscation with AntiTamperKiller, de4dot-cex and ProxyCall-Remover, decrypt the 3DES TLV-stored VB6 payload, and observe process hollowing into RegAsm.exe with RC4-encrypted configuration.
deep valeBOT
🐧 Linux | 🛡️ CVE-2025-38236 | 💥 UAF | 🎁 PoC
🔗 Original article: https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html
A use-after-free in Linux’s AF_UNIX MSG_OOB path (CVE-2025-38236) lets unfiltered <code>send()/recv()</code> flags in Chrome’s renderer sandbox trigger a dangling <code>sk_buff</code> pointer. A crafted sequence of MSG_OOB and normal recv calls exploits manage_oob()’s faulty zero-length SKB handling to achieve kernel RCE. The bug is fixed by decoupling zero-length and OOB checks; full PoC is on Project Zero 🎁 PoC.
🛠️ Tool | 🤖 AI | 🧪 Fuzzing | 🛡️ Vulnerability
🔗 Original article: https://blog.trailofbits.com/2025/08/07/aixcc-finals-tale-of-the-tape/
Trail of Bits’ blog breaks down AIxCC finalists’ CRSs into three philosophies: AI-augmented fuzzing (LLM-generated seeds, grammar evolution, multi-agent orchestration), AI-first PoV creation (primary LLM reasoning with fallback fuzzing), and hybrid tailored models (fine-tuned Llama for C, super patches, SARIF validation). It highlights techniques like function-level mutation dictionaries, super patches, and speculative patch strategies under competition scoring.
🛠️ Tool | 🎁 PoC | 💣 Bypass
🔗 Original article: https://www.synacktiv.com/en/publications/should-you-trust-your-zero-trust-bypassing-zscaler-posture-checks.html
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/cve-2025-29891/
camel-exec due to unsanitized HTTP headers.CAmelExecCommandExecutable and CAmelExecCommandArgs headers to run arbitrary system commands.curl examples for sleep and reverse shell.camel-exec, validate headers, enforce authentication, apply patches, and restrict outbound access.
deep valeBOT
🛠️ Tool | 🤖 AI | 🧩 Fuzzing | 🛡️ Security
🔗 Original article: https://blog.trailofbits.com/2025/08/08/buttercup-is-now-open-source/
Buttercup is an open-source AI-driven CRS that automates fuzzing (<code>libFuzzer</code>, <code>Jazzer</code>), static analysis (Tree-sitter, CodeQuery), and multi-agent patch generation. Install with buttercup setup, deploy, send-task, and open-ui to discover and patch vulnerabilities on x86-64 Linux.
deep valeBOT
🛠️ Tool | 🤖 AI | 🔍 Fuzzing | 🛡️ Patching
🔗 Original article: https://blog.trailofbits.com/2025/08/09/trail-of-bits-buttercup-wins-2nd-place-in-aixcc-challenge/
Buttercup is an open-source AI-driven vulnerability discovery and patching system from Trail of Bits. It integrates LLM-augmented fuzzing, static analysis via tree-sitter, and multi-agent patch synthesis. In DARPA’s AIxCC finals it found 28 vulnerabilities, applied 19 patches with 90 % accuracy across 20 MITRE CWEs, and achieved $181 cost per point. Install via git clone https://github.com/trailofbits/buttercup.
deep valeBOT
🛠️ Tool | 🐳 Docker | 📱 Mobile | 🔍 Recon
🔗 Original article: https://medium.com/@justmobilesec/just-mobile-security-jms-mobile-docker-ba1e6b7f131d
JMS – Mobile Docker delivers a lightweight Docker container for Android & iOS pentesting, bundling OWASP MASTG tools plus extras (frida, objection, nuclei) on amd64/arm64. Clone repo, build and run with $ docker run -it --rm -v "$(pwd)":/workspace jms-mobile-docker. Connect Android via adb tcpip over Wi-Fi and iOS via ssh root@IOS_IP. Run Frida entirely over network and mount your project to /workspace to use apktool, jadx, and nuclei mobile templates.
deep valeBOT
🛡️ CVE | 💣 RCE | 📡 SSH | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
🛠️ Tool | 🔐 Crypto | 🧩 Reverse-engineering | 💣 RCE
🔗 Original article: https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html
Synacktiv reverse-engineers Synology’s PAT/SPK encrypted archives to build synodecrypt, extracting hard-coded signature and master keys, verifying MessagePack headers via libsodium, deriving decryption subkeys, and decrypting entries with secretstream XChaCha20-Poly1305. They also uncover an unauthenticated command-injection RCE in SynologyPhotos v1.7.0-0794 via child_process.exec, patched in v1.7.0-0795 by switching to execFile. 🎁 PoC
deep valeBOT
🛡️ CVE | 💣 RCE | 📂 Archive | 📧 Phishing
🔗 Original article: https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/
CVE-2025-8088 is a directory traversal bug in WinRAR pre-7.13 allowing crafted RAR archives to extract executables into Windows Startup folders via embedded "..\" path entries, enabling automatic execution on user logon. Actively exploited in RomCom phishing campaigns, users should update to WinRAR 7.13 to patch this high-severity RCE.
🛡️ CVE | 🗜️ Archive | 🧬 Symlink | 💣 RCE
🔗 Original article: https://www.redhotcyber.com/en/post/new-7-zip-flaw-symbolic-links-turn-extraction-into-a-hack-2/
📱 Android | 🔗 Path Traversal | 🗂️ File Read | 🎁 PoC
🔗 Original article: https://blog.ostorlab.co/signal-arbitrary-file-read.html
.blob extension.<br/>- (2) SHARE_MULTIPLE intent missing URI validation; Frida PoC included.<br/>- (3) FileUriExposedException bypass with file://system/../data/... URIs.<br/>- (4) MIME type spoofing & UUIDv4 blob filename brute-force to locate and read blobs.
deep valeBOT
🛠️ Tool | 💣 PrivEsc | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://github.com/GhostPack/Certify/wiki/4-‐-Escalation-Techniques
Certify’s wiki details four AD CS privilege escalation techniques (ESC1–ESC4), showing how misconfigured certificate templates allow SAN spoofing, Any Purpose EKU abuse, enrollment agent exploitation, and ACL manipulation. Using Certify (v2.0.0) and Rubeus (v2.0.2), attackers can obtain Kerberos TGTs via PKINIT to compromise domain admins. 🎁 PoC
🛠️ Tool | 🔐 PKI | 🎁 PoC | ⛓️ Active Directory
🔗 Original article: https://specterops.io/blog/2025/08/11/certify-2-0/
Certify 2.0 is a complete AD CS exploitation toolkit rewrite, offering enhanced template/CA enumeration, detailed vulnerability attribution, modular commands, default base64 PFX output, SAN and application-policy injection, certificate renewal, golden cert forging, and new manage-template/manage-ca commands for LDAP (ESC4) and DCOM (ESC7) abuse.
deep valeBOT
🌐 Web | 🛡️ CVE | 💉 SQLi | 📂 File Download
🔗 Original article: https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/
WP Job Portal ≤2.3.2 suffers from two unauthenticated critical flaws: SQL Injection (CVE-2025-48274) in validateFormData and Arbitrary File Download (CVE-2025-48273) in downloadCustomUploadedFile. Both require a valid _wpnonce from the [wpjobportal_my_resumes] page. Patched in v2.3.3 — upgrade immediately.
deep valeBOT
🛡️ CVE | 💣 RCE | 💉 Prompt Injection | 🎁 PoC
🔗 Original article: https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/
"chat.tools.autoApprove": true to .vscode/settings.json, enabling YOLO mode and arbitrary terminal commands
deep valeBOT
🛡️ CVE | ⬆️ LPE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://zimperium.com/blog/the-rooting-of-all-evil-security-holes-that-could-compromise-your-mobile-device
Zimperium analyzes an LPE in KernelSU v0.5.7: manager authentication verifies the first matching APK from the caller’s open FDs. By influencing that selection, a malicious app can be accepted as the manager and then grant itself root. The attack requires running before the legit manager, enabling full compromise of already‑rooted devices. A PoC video and related Magisk CVE are cited.
deep valeBOT
Android | NFC | Malware | Payments | Brazil
🔗 Original article: https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
PhantomCard is an Android threat using NFC reader mode and a relay setup to enable card-present fraud, spread via fake “Proteção Cartões” pages. Details are sanitized for safety.
deep valeBOT
💣 RCE | 🌐 Web | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/
Stolen Terraform CLI tokens with “plan” rights let attackers run speculative plans that execute external programs, yielding RCE on Terraform Cloud runners. From that shell, they exfiltrate short‑lived GCP/AWS credentials (tfc-* files) and use gcloud/AWS CLI to make out‑of‑band infra changes, bypassing VCS controls. Mitigate with least‑privilege tokens and Sentinel allowlists.
deep valeBOT
🛡️ CVE | 💣 RCE | 💉 XXE | 🎁 PoC
🔗 Original article: https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/
Two unauthenticated bugs in Xerox FreeFlow Core’s JMF Client (port 4004) enable RCE. CVE-2025-8355 is an XXE that yields SSRF via entity resolution in jmfclient.jar. CVE-2025-8356 is a path traversal in processIncomingRQEMessage() that allows arbitrary file write to web-served paths, enabling webshell execution. Fixed in 8.0.5.
🌐 Web | 🛡️ CVE | ⬆️ Privilege Escalation | 🧩 WordPress
🔗 Original article: https://patchstack.com/articles/rare-case-of-privilege-escalation-in-ase-plugin-affecting-100k-sites/
ASE ≤ 7.6.2.1 has a broken authorization flaw in the “View Admin as Role” reset path. Any authenticated user can trigger role restoration via reset-for=USERNAME with no capability/nonce checks, reverting saved original roles (e.g., Administrator) from user meta. Fixed in 7.6.3. CVE-2025-24648/CVE-2024-43333.
deep valeBOT
📱 Android | 🐛 Malware | 🛠️ Tool | 🌐 Web
🔗 Original article: https://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak
Hunt.io’s March 6, 2024 leak of ERMAC v3.0 reveals a Laravel C2, React panel, Go exfil server, and a builder-driven Android trojan. Overlays from public/injects exfiltrate via Android.send_log_injects; C2 traffic uses AES-CBC with fixed IV “0123456789abcdef.” Panels are fingerprintable and often expose critical opsec flaws: hardcoded JWT secret, static admin bearer token, default root creds, and open registration. HuntSQL queries enable global infra discovery.
deep valeBOT
🌐 Web | 🤖 LLM | 🔐 Data Exfiltration | 🛠️ Tool
🔗 Original article: https://labs.zenity.io/p/when-a-jira-ticket-can-steal-your-secrets
A Jira→MCP→Cursor chain lets indirect prompt‑injection exfiltrate repo and local secrets. Euphemisms/encoded instructions bypass model guardrails; Jira comments or outbound HTTP requests become exfil channels. With Auto‑Run, this is zero‑click. Mitigate by vetting MCP servers, disabling/allow‑listing Auto‑Run tools, excluding sensitive paths (e.g., .cursorignore), and monitoring agent I/O.
deep valeBOT
🛡️ CVE | 🌐 Web | 📱 Android | 🎁 PoC
🔗 Original article: https://medium.com/@happyjester80/samsung-s24-exploit-chain-pwn2own-2024-walkthrough-c7a3da9a7a26
Two Samsung Gaming Hub flaws enable an attack chain: CVE‑2024‑49419 lets deep links load arbitrary URLs in an internal WebView; CVE‑2024‑49418 abuses inconsistent, multi‑stage URL checks so JavaScript becomes enabled before final verification. Provided ADB PoCs show how to trigger each path and achieve in‑app HTML/JS execution for chaining.
🌐 Web | 💉 XSS | 💰 Bug Bounty | 🎁 PoC
🔗 Original article: https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/
Header‑reflected XSS + cache poisoning + WAF quirks enabled 0‑click ATO. By seeding a cached HTML variant via a .js GET (not content‑inspected) using Burp Repeater single‑packet group requests and a fresh IP, the attacker injected an inline script reflecting User‑Agent. Non‑HttpOnly JWT cookies were exfiltrated to an OAST server (~600 tokens, incl. employee/admin). With admin JWTs, endpoints like /api/products/{product_id}/comments/{comment_id}/del were usable.
deep valeBOT
🤖 Android | 🧩 Reverse Engineering | 🕵️ Evasion | 🛠️ Tool
🔗 Original article: https://www.kayssel.com/newsletter/issue-12/
Actionable playbook to bypass Android app anti‑root, anti‑Frida/debugger, and SSL pinning. Uses Magisk DenyList, Frida Codeshare scripts, attach‑after‑launch, Jadx‑guided hooks, Objection patching, pre‑crash class dumps, JNI tracing with frida‑trace, and apk‑mitm for traffic inspection. Includes code and commands.
deep valeBOT
🛡️ CVE | 💣 RCE | 🐧 Linux | 📡 C2
🔗 Original article: https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/
Actor exploits Apache ActiveMQ CVE‑2023‑46604 on cloud Linux, deploys Sliver/Cloudflare tunnels, drops a password‑protected PyInstaller ELF (DripDropper) that uses a hardcoded Dropbox bearer token, persists via cron by editing /etc/cron.*/0anacron, and tweaks SSH (root login, games→/bin/sh). They then self‑patch ActiveMQ by replacing vulnerable JARs from repo1.maven.org to hide entry while keeping access.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://research.kudelskisecurity.com/2025/08/19/how-we-exploited-coderabbit-from-a-simple-pr-to-rce-and-write-access-on-1m-repositories/
A malicious PR abused Rubocop’s repo-controlled config to load an attacker extension and achieve RCE on CodeRabbit’s production runner. The payload exfiltrated env vars including the GitHub App private key. With that key, the researchers minted installation tokens and listed/cloned or wrote to repositories (~1M in review). PoCs show JWT creation, token minting, and x-access-token cloning. CodeRabbit fixed it in January 2025 by isolating tools and rotating secrets.
🌐 Web | 🔐 Auth | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html
A password-reset flow used C#’s time-seeded Random().Next(...) to make tokens. By sending two HTTP/2 reset requests in a single-packet Burp race, the author hit the same 1 ms seed window and received identical tokens (victim + attacker), achieving account takeover. A Python library models/inverts C# Random as modular equations and reveals underflow-based collisions. Fix by using System.Security.Cryptography.RandomNumberGenerator.
🌐 Web | 🛠️ Tool | 🔀 Request Smuggling
🔗 Original article: https://portswigger.net/research/how-to-distinguish-http-pipelining-from-request-smuggling
How to tell HTTP/1.1 pipelining artifacts from real request smuggling. Shows a CL.0 false positive, provides litmus tests (disable reuse, HTTP/2 nested-response, partial requests, state probes), and outlines exploitation for connection‑locked/state/client‑side desync via cache poisoning, internal header leaks, FE control bypass, and host‑header abuse. Tools: HTTP Hacker, Turbo Intruder, HTTP Request Smuggler, and a “Smuggling or pipelining?” custom action.
deep valeBOT
🌐 Web | 💣 RCE | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-ruby-deserialization-exploits/
Trail of Bits chronicles a decade of Ruby Marshal deserialization leading to RCE via gadget chains. It shows a vulnerable Rails path, a RubyGems‑based payload with $(id>/tmp/marshal-poc), and a timeline (incl. CVE‑2019‑5420 and Ruby 3.1–3.4 era patches). Modern discovery uses Semgrep and CodeQL with public PoCs. Audit all Marshal usage, switch to safer serializers, and push for a safe_load/unsafe_load split.
deep valeBOT
📡 IoT | 💣 RCE | 🎁 PoC
🔗 Original article: https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/
Full exploit chain on MEO’s FiberGateway GR241AG: recover the admin password from firmware, log into the IPv6‑reachable restricted shell over the public “MEO WiFi” SSID, then exploit a tcpdump wrapper argument injection to run a post‑rotate payload (−G/−z) and gain root. The router’s changing IPv6 is revealed via NDP (ff02::2). Impact: critical pre‑auth RCE within Wi‑Fi range; DNS hijack, key exfil, LAN access. Bonus: nslookup arbitrary write, wget overflow.
🛡️ CVE | 💣 RCE | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://blog.huntr.com/hunting-vulnerabilities-in-keras-model-deserialization
Explains Keras .keras internals and deserialization flow, shows Lambda-layer RCE via base64+marshal (CVE-2024-3660), and arbitrary module import in Keras ≤3.8 (CVE-2025-1550). Details new defenses (allowlist, safe_mode, type checks) and a PoC using keras.utils.get_file as a gadget despite safe mode. Provides practical steps to discover/test gadgets across Keras variants and formats.
Android | Malware | Banking | Phishing
🔗 Original article: https://www.cyfirma.com/research/lazarus-stealer-android-malware-for-russian-bank-credential-theft-through-overlay-and-sms-manipulation/
Analysis of an Android stealer that impersonates a utility app, abuses powerful roles and permissions, overlays fake banking screens to harvest credentials, intercepts SMS including OTPs, and communicates with hard coded C2 over plaintext HTTP. Includes high level behaviors and key indicators to aid detection, with implementation specifics removed for safety.
📱 Android | 🎣 Phishing | 🐛 Malware | 📡 C2
🔗 Original article: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/
Android campaign targets Indian users with a fake energy subsidy. A GitHub-hosted dropper (PMBY) installs an embedded payload (PMMBY) after telling users to disable network. PMMBY requests SMS/contacts/call/notification access, loads a fake UPI PIN page from Replit, and POSTs phone/bank/UPI PIN to addup.php. It mass-sends smishing SMS, uploads incoming SMS/OTP to addsm.php, and takes Firebase commands via a _type field. Google blocked the FCM account; GitHub removed the repo.
📱 iOS | 🛠️ Tool | 🔓 Jailbreak | 🧪 Pentest
🔗 Original article: https://infosecwriteups.com/step-by-step-complete-beginners-guide-of-ios-penetration-testing-17092c0e0dc7
Beginner iOS pentest guide: explains jailbreak types and risks, shows workflows (Checkra1n; semi‑untethered with AltStore) and a Windows demo using 3uTools + Dopamine. Covers post‑jailbreak package managers/repos, then a static analysis pipeline for Diva.ipa with MobSF, Class‑Dump, Hopper/Ghidra, strings, and otool, plus Burp CA/proxy setup to intercept HTTPS for dynamic testing.
deep valeBOT
🌐 Web | 💣 RCE | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Two pre-auth RCE chains in Commvault 11.38.20. Chain 1: argument injection in /Login forges a SYSTEM-backed localadmin token via qlogin “-localadmin”, then writes a JSP webshell using QCommand’s -file path traversal. Chain 2: pre-auth GUID leak logs in as _+PublicSharingUser, decrypts an unchanged built-in admin password via a hard-coded key, then reuses the same webroot write for RCE. Includes concrete PoCs.
deep valeBOT
🛠️ Tool | 🎁 PoC | 🌐 Web
🔗 Original article: https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/
Trail of Bits shows that image downscaling can reveal hidden instructions only the model sees, enabling prompt-injection exfiltration on Gemini CLI and other production surfaces. They fingerprint resamplers, then use Anamorpher to inverse-design bicubic/bilinear payloads. Unsafe defaults (e.g., MCP trust:true) let tools run without confirmation. Mitigate by avoiding silent resizing, previewing transformed inputs, and gating tool actions.
🛡️ CVE | 💉 XSS | 💣 RCE | 🎁 PoC
🔗 Original article: https://medium.com/@happyjester80/xiaomi-13-pro-code-execution-via-getapps-dom-cross-site-scripting-xss-6590cf35fb27
CVE-2024-4406 in Xiaomi GetApps lets an attacker abuse an exported deep link to load local HTML (file://web-res-xxxx) into a privileged WebView, then exploit a DOM XSS in integral-dialog-page.html via the integralinfo JSON parameter. Researchers used this XSS to achieve code execution on Xiaomi 13 Pro. Includes a working intent:// PoC and debugging via chrome://inspect.
🌐 Web | 🧪 Clickjacking | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://socket.dev/blog/password-manager-clickjacking
Socket recaps DEF CON research showing DOM-based clickjacking in major password managers. By hiding the extension’s autofill UI and luring a click, attackers exfiltrate credit cards, PII, logins, TOTP, and sometimes passkeys. Demos prove one‑click theft. Socket lists affected versions (as of Aug 19, 2025) and Bitwarden’s Aug 20 fix. Mitigations: style‑tamper detection, top‑layer checks, closed shadow roots, or user confirmation dialogs; users can disable manual autofill or set site access to “On click.”
🌐 Web | 🛡️ CVE | 💉 SQLi
🔗 Original article: https://patchstack.com/articles/sql-injection-vulnerability-found-in-lifterlms-plugin-affecting-10k-sites/
Unauthenticated SQLi in LifterLMS (≤8.0.6) via the voucher code during registration. Untrusted $code is concatenated in get_voucher_by_code(), and sanitize_text_field() is insufficient. Fixed in 8.0.7 by switching to $wpdb->prepare() and proper typing. Impact: high (CVSS 9.3). Update immediately and review logs for suspicious voucher inputs.
📡 IoT | 🛠️ Tool
🔗 Original article: https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-1/
Capture Android↔BLE traffic via BTsnoop/Wireshark, filter GATT writes to find the command toggling a key-finder’s beeper. Confirm the target in jadx (Alert Level 0x2a06 under Immediate Alert 0x1802). Reproduce from Linux with gatttool/bluetoothctl (handle ≈0x0a/0x0b) or from Android with LightBlue/nRF Connect by writing 0x01/0x00.
🌐 Web | 🛡️ CVE | 💣 RCE
🔗 Original article: https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/
Unit 42 observed attackers exploiting CVE‑2024‑36401 (GeoServer, CVSS 9.8) to obtain RCE, then deploy a legit SDK and a Dart‑based app that quietly sells victims’ bandwidth. Exploits traverse GeoTools→JXPath (extension functions) to a Runtime.exec sink. Two stages: download z593 from self‑hosted Transfer.sh (37.187.74[.]75, 64.226.112[.]52) and execute it, which fetches z401/z402 for stealth and launch. Campaign active since March 2025.
deep valeBOT
🛡️ CVE | 💣 RCE | 🎁 PoC | 🐳 Docker
🔗 Original article: https://blog.qwertysecurity.com/Articles/blog3.html
CVE-2025-9074: Docker Desktop for Windows exposed the Docker Engine API at http://192.168.65.7:2375 to containers without auth. With two POSTs (/containers/create then /containers/{id}/start), attackers bind-mounted C: and achieved full host compromise—even via SSRF. Fixed per blog in 4.44.x. PoC provided.
🌐 Web | 🛡️ CVE | 🎁 PoC | 🧱 WAF
🔗 Original article: https://patchstack.com/articles/hosting-security-tested-87-percent-of-vulnerability-exploits-bypassed-hosting-defenses/
Patchstack ran 11 real WordPress/plugin exploits against five identically built sites across five hosts. Despite Cloudflare, ModSecurity, ConfigServer, Monarx, and Imunify360, 87.8% of attacks bypassed hosting defenses and were only stopped by Patchstack. A simple WooCommerce Payments REST PoC using X‑Wcpay header spoofing created an admin. Results show generic WAFs miss WordPress‑specific logic/auth flaws; plugin‑aware, vulnerability‑specific virtual patches are required.
🌐 Web | 🎁 PoC | 💰 Bug Bounty | ☁️ Azure
🔗 Original article: https://binarysecurity.no/posts/2025/08/azures-weakest-link-part2
Undocumented ARM DynamicInvoke lets Contributors craft APIM requests using a connection’s metadata. By building a Custom Connector with a string path parameter and injecting ../../.., ARM’s internal APIM call normalizes to another tenant’s connection path, executing actions as that victim. This enables global cross-tenant data access (e.g., Key Vault) and RBAC bypass. Microsoft blacklisted ../ in April 2025.
deep valeBOT
⛓️ Web3 | 🌐 Web | 🔁 AMM | 📈 Price Manipulation
🔗 Original article: https://www.quillaudits.com/blog/hack-analysis/how-odinfun-lost-58-3BTC-to-worthless-liquidity
On Aug 12, 2025, Odin.fun lost 58.2 BTC after an attacker added liquidity with worthless tokens, self-traded to inflate in-pool prices, then withdrew liquidity to redeem disproportionate BTC across SATOSHI/BTC and ODINPEPE/BTC pools. Root cause: AMM trusted internal reserve ratios without external price checks or value parity enforcement. Mitigations: oracles, parity checks, slippage limits, minimum liquidity thresholds, monitoring, and audits.
🌐 Web | 🎁 PoC | 💰 Bug Bounty | 🔗 Supply Chain
🔗 Original article: https://medium.com/@justas_b1/a-simple-supply-chain-bug-worth-11-850-how-gitlab-reinforces-trust-in-open-source-424585c79074
GitLab fixed a supply-chain gap where the main app didn’t verify Runner binary integrity before sending CI/CD secrets. The PoC adds a Go function to Docker executor (docker.go) to POST all variables from e.Build.GetAllVariables() to an attacker, then packages it as a Docker image and registers it. Any executor could be tampered. Impact: exfiltration of cloud creds, tokens, and full supply-chain compromise. Fix: backend whitelists official Runner SHAs pre-dispatch.
deep valeBOT
💣 RCE | 🧠 Technique | 🧷 DLL Sideloading | 🎁 PoC
🔗 Original article: https://www.hexacorn.com/blog/2025/08/19/dll-forwardsideloading/
Technique: abuse forwarded exports to force the loader to pull a non‑KnownDLL by name from the attacker’s directory. PoC: copy keyiso.dll to C:\test, add malicious NCRYPTPROV.dll, then run rundll32.exe C:\test\keyiso.dll, KeyIsoSetAuditingInterface. Loader resolves the forward and executes the attacker DLL’s DllMain before any missing‑export error.
deep valeBOT
🪟 Windows | 🛠️ Tool | 🛡️ EDR Evasion
🔗 Original article: https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
The post explains how to abuse Windows PPL by launching a signed system binary (ClipUp.exe) as a protected process and using its logging parameter to write into Defender’s protected directory during boot, corrupting MsMpEng.exe so Defender cannot start. It details PPL requirements (EKU, CreateProcess flags), introduces the CreateProcessAsPPL tool, and discusses constraints, impact, detection, and mitigations.
🛠️ Tool | 🖥️ Windows | 🔒 PPL
🔗 Original article: https://github.com/2x7EQ13/CreateProcessAsPPL
C++ tool that spawns a target as a Windows PPL. CLI maps modes 0–4 to PROTECTION_LEVEL_* and sets PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL via STARTUPINFOEX before CreateProcess. Works only with appropriately signed PPL‑eligible images; otherwise returns INVALID_IMAGE_HASH. Useful for testing PPL hardening or research with signed binaries.
🛠️ Tool | 🛡️ CVE | 💣 RCE
🔗 Original article: https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/
ELEGANTBOUNCER is a Rust tool that detects 0‑click iOS exploit files via structural analysis, not signatures. It scans PDF/JBIG2 (CVE‑2021‑30860), WebP/VP8L (CVE‑2023‑4863), TrueType (CVE‑2023‑41990), and DNG/TIFF (CVE‑2025‑43300), integrates iOS backup reconstruction, and batch‑scans messaging attachments with fast, parallel TUI/CLI.
deep valeBOT
🛠️ Tool
🔗 Original article: https://github.com/sikumy/spearspray
SpearSpray is an AD-focused, policy-aware Kerberos spraying framework that fuses LDAP user intel, a template-driven password generator, throttled validation, and Neo4j/BloodHound enrichment. It emphasizes low-noise operation, lockout avoidance, and structured results. This summary highlights architecture, defensive signals, and hardening guidance without step‑by‑step misuse instructions.
deep valeBOT
📱 Android | 🦠 Malware | 🌐 Web | 🔬 Reverse Eng
🔗 Original article: https://dti.domaintools.com/spynote-malware-part-2/
SpyNote RAT is delivered via cloned Play Store pages whose Install button forces an APK download using a hidden iframe + javascript: URI. The dropper concatenates assets/base/000+001, derives a 16‑byte AES key from the package name, AES‑decrypts, GZIP‑inflates, then DEX‑injects SpyNote. SpyNote loads a second DEX with obfuscated WebSocket C2 and rotating domains. The post includes hashes, full IOCs, Shodan queries, and MITRE mapping.
deep valeBOT
🌐 Web | 💰 Bug Bounty | 🎁 PoC | 💣 RCE
🔗 Original article: https://shubhamchaskar.com/defcon-bbv-ctf/
Realistic bug-bounty CTF write-up with 14 web vulns: dir brute-force to internal config, cookie-based debug leak, timing user enum, live legacy API, localhost bypass via X-Forwarded-For, admin 403 bypass, Host-header reset poisoning → ATO, hidden signup, mass assignment (balance), blind XSS via PATCH → JWT theft, broken authz on admin API, and JSON cmd RCE in a debug endpoint.
🌐 Web | 💉 XSS | 💣 RCE | 🎁 PoC
🔗 Original article: https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
Research on VTENEXT 25.02 found three auth-bypass paths to account takeover and post‑auth RCE. Chains exploit a reflected JSON→HTML XSS, CSRF bypass via method tampering, Touch module session leakage, SQLi in Fax/EditView, and a pre‑auth arbitrary password reset in rpwd.php (patched in 25.02.1). Authenticated RCE is reached via multiple LFIs (optionally leveraging pearcmd.php) or by importing a custom module with a web shell. PoCs, code paths, and exact requests are provided.
deep valeBOT
🌐 Web | 💉 XSS | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://portswigger.net/research/inline-style-exfiltration
Inline CSS-only exfiltration: use attr() to read an attribute into a CSS variable, compare with if(style(--val:"...")) using double quotes, and trigger image-set(url()) to leak which candidate matched. Chain nested if() to enumerate values. Works on Chromium; Burp action automates payload generation.
🎯 Phishing | 🌐 Web | 💣 RCE | 🧭 TTPs
🔗 Original article: https://research.checkpoint.com/2025/zipline-phishing-campaign/
ZipLine flips phishing flow: contact-form bait → weeks-long legit emails → Heroku-hosted ZIP with LNK that extracts a hidden PowerShell via marker xFIQCV, bypasses AMSI, persists via COM TypeLib hijack, and runs MixShell in memory. C2 uses DNS TXT (HTTP fallback), supports pipes, file ops, and a reverse proxy. A PS variant adds heavy sandbox checks and scheduled-task persistence.
deep valeBOT
🛠️ Tool | 🔐 AD CS | ⬆️ Privilege Escalation | 🎁 PoC
🔗 Original article: https://github.com/GhostPack/Certificates
Certify is a GhostPack tool to find and exploit AD CS misconfigurations (ESC1/ESC4/ESC7). It enumerates CAs/templates, requests malicious SAN/SID certs, supports on‑behalf‑of issuance, and exports JSON. Issued certs are converted to PFX and used with Rubeus for PKINIT (TGT). Includes build steps, in‑memory execution, and YARA/IOC details.
deep valeBOT
🌐 Web | 💉 XSS | 💰 Bug Bounty | 🎁 PoC
🔗 Original article: https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html
Reflected XSS in a JS-in-JS sink on a login page is escalated to credential theft by breaking a JS string, bypassing filters with Unicode escapes, and injecting a script that defines const DoLogin to exfiltrate creds. Payload delivery uses Unicode-escaped eval(atob(base64)) and relies on execution order to preempt the legitimate handler.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html
Exploit Gibbon LMS (CVE-2023-45878) on a Windows DC for unauthenticated arbitrary file write and pre-auth RCE. Drop a PHP webshell, pivot to a PowerShell reverse shell, harvest DB creds from config.php, extract salted SHA-256 user hash, and crack it (Hashcat -m 1420) to get f.frizzle. In a Kerberos-only AD, fix clock skew, use Kerberos for SMB and SSH (GSSAPI), and ensure hosts order is correct. Tools: nmap, feroxbuster, curl, netexec, hashcat, revshells.com.
🌐 Web | 💣 RCE | ⬆️ PrivEsc | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html
Custom Windows webserver (Rainbow 0.1) is vulnerable to a POST-body SEH overflow, enabling unauthenticated RCE. Using x32dbg + ERC, the author finds nSEH/SEH offsets (660/664), a POP-POP-RET at 0x4094d8, and chains a short and near jmp to a NOP sled + msfvenom x86 shellcode. A Python/pwntools HTTP POST delivers the payload. Initial shell is admin-group but medium integrity; bypass UAC via fodhelper registry hijack to get High Integrity and read root.
🌐 Web | 🎁 PoC | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/12/htb-zero.html
Tenant .htaccess control enabled an ErrorDocument 404 %{file:/path} LFI to read web sources and leak DB creds. Those creds worked for SSH (user zroadmin). pspy revealed a root cron that turns apache2 process command lines into root-executed apache2ctl -t. By forging a matching argv and overloading -f/-d, Apache tested attacker-controlled config, enabling root code execution. Python+Paramiko PoC automates the LFI.
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/21/htb-lock.html
HTB “Lock”: A leaked Gitea PAT in commit history grants write access to a CI/CD-backed website repo. Pushing an ASPX webshell to IIS yields RCE as lock\ellen.freeman. An mRemoteNG config leaks Gale’s RDP creds, enabling desktop access. Finally, abusing PDF24’s elevated repair (by locking its log file) produces a hung elevated cmd that’s leveraged to spawn a SYSTEM shell.
💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/26/htb-reaper.html
Custom Windows service on TCP/4141 has a format‑string in _snprintf and a stack buffer overflow. Leak a code pointer with “%p” to defeat ASLR, then ROP into VirtualAlloc to mark stack RWX and pivot to shellcode for unauthenticated RCE. Privilege escalate by abusing a kernel driver with arbitrary read/write to steal a SYSTEM token.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/14/htb-sweep.html
Windows DC with Lansweeper. Null/guest SMB + RID cycling gives users. A weak Kerberos spray yields a login. Inside Lansweeper, map scanning creds to an attacker IP and capture the Linux scanner password with an SSH honeypot. Use AD ACLs (GenericAll over Lansweeper Admins) to add the account, then WinRM in. Priv-esc via: (1) decrypt Lansweeper DB secrets using Encryption.txt and SharpLansweeperDecrypt to obtain an admin service account, or (2) run a Deployment package to execute as SYSTEM.
deep valeBOT
📡 IoT | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/
Use a £20 Sonoff (CC26x2) with Sniffle to sniff unencrypted BLE from devices without pairing/bonding, find GATT Write Commands (e.g., 0x01/0x00 to handle 0x0b), then use a £10 Nordic nRF52 with nRF Connect or Python (blatann) to send the same writes. Includes exact install/flash commands, Wireshark filters, CLI helpers, and a PoC script.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html
Chain: IDOR in /view.php enumerates users/files, leaking Amanda’s password. In admin backup, newline/tab bypass in cleanEntry leads to command injection via proc_open, giving www-data shell. SQLite users table stores unsalted MD5; crack tobias → SSH. ISPConfig 3.2 on 127.0.0.1:8080 vulnerable to CVE‑2023‑46818; language editor lets admin write a PHP webshell and execute as root. Public PoC available.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/09/htb-university.html
Exploit CVE-2023-33733 in ReportLab/xhtml2pdf via a crafted Bio payload in the profile PDF export to get RCE, validate with ICMP, then stage a PowerShell reverse shell as university\wao on the DC. Loot Django config, CA private key, and db.sqlite3; analyze backups and sessions; enumerate users, dual-homed networking, and AD hosts (WS-3, LAB-2). The post later chains cert abuse, WPAD/NTLM relay, RBCD, unconstrained delegation, and gMSA to DA.
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/02/htb-code.html
HTB Code: A Flask-based Python editor uses a naive substring blacklist. Bypass with globals()+getattr()+string concat to call os.popen().read(), get a reverse shell, and persist. Dump SQLite unsalted MD5 hashes, crack, and pivot to martin. Priv-esc to root via sudo NOPASSWD backy.sh by using /var/....//root traversal or, in /dev/shm, rely on fs.protected_regular to skip sanitization entirely, then archive/exfiltrate /root (SSH key/flag).
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html
HTB Rainbow exposes a custom HTTP server on 8080 (“Rainbow 0.1”). Manual URI-length fuzzing crashes it. Pulling rainbow.exe from anonymous FTP enables x32dbg analysis to prove EIP control and build a single-request RCE for a reverse shell. The shell is admin but medium integrity; a fodhelper UAC bypass via HKCU ms-settings hijack yields high integrity to complete compromise.
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/14/htb-sweep.html
Windows DC running Lansweeper. Enumerate users via SMB RID cycling, then Kerberos username=password spray to get intern. Abuse Lansweeper: map Linux creds to your IP, run sshesame on port 2022, click Scan to capture svc_inventory_lnx. BloodHound shows GenericAll → add self to “Lansweeper Admins” and get WinRM. PrivEsc 1: decrypt web.config with Key/Encryption.txt via SharpLansweeperDecrypt to recover svc_inventory_win (admin). PrivEsc 2: use Lansweeper Deployment to execute as SYSTEM.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/21/htb-lock.html
Leaked Gitea PAT in a prior commit enabled API access to a private website repo. Because CI/CD auto-deployed on push, an ASPX webshell was published, giving RCE. An mRemoteNG config leaked RDP creds for gale.dekarios, allowing RDP access. Finally, abusing PDF24’s installer repair by locking its log file yielded a hung elevated cmd, leveraged to get SYSTEM.
🌐 Web | 📄 LFI | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/12/htb-zero.html
Abuse Apache twice: 1) Replace a root-owned but renamable .htaccess to set ErrorDocument 404 %{file:/path}, turning 404s into arbitrary file reads and leaking DB creds from stats.php. 2) Use pspy to find a root cron that transforms and executes matching apache2 processes as apache2ctl -t. Forge a process argv to inject flags (e.g., -f /tmp/evil.conf), coercing root to parse attacker-controlled config and gain root.
💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/26/htb-reaper.html
Custom Windows key service (TCP 4141) has a format-string bug in log_key and a stack buffer overflow when decoding long Base64 comments. Use “%p” in a valid key to leak a module pointer and compute the base, then exploit an 88-byte RIP overwrite with a ROP chain that calls VirtualAlloc to mark stack RWX and jump to shellcode for RCE. Kernel privesc steals a SYSTEM token via an arbitrary R/W driver.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/09/htb-university.html
Compromise a Django site by abusing ReportLab/xhtml2pdf (CVE‑2023‑33733) in the Profile PDF export to run OS commands via a crafted color attribute. Land a shell as university\wao, loot the app (DB, CA keys), and enumerate the internal AD network. Forge a client cert for Professor access, weaponize a .url in lecture bundles, coerce WPAD and relay NTLM to LDAP to set RBCD, abuse unconstrained delegation to steal tickets, and read a gMSA secret to escalate to Domain Admin.
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html
Exploit Gibbon LMS (v25.0.00) CVE‑2023‑45878 to write a PHP webshell and gain RCE. Dump DB creds from config.php, extract a salted SHA‑256 hash and crack it (hashcat -m 1420) to get AD user creds. In a Kerberos‑only domain, fix time skew, kinit, and SSH with GSSAPI. Recover a deleted WAPT backup from Recycle Bin, decode wapt_password to pivot to m.schoolbus. Abuse Group Policy Creator Owners via SharpGPOAbuse to push an immediate Scheduled Task and get SYSTEM.
🏰 Active Directory | 🔐 Kerberos | ⬆️ PrivEsc | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/19/htb-phantom.html
Guest SMB access exposed a PDF with the default password. RID cycling built a user list; Kerberos spray hit ibryant. A VeraCrypt backup on an SMB share was cracked with a tiny wordlist and rules, revealing a VyOS config with a plaintext password reused by svc_sspr. With WinRM shell, a BloodHound-identified path enabled RBCD by creating a machine account, setting AllowedToAct, forging S4U tickets, and executing as DA on the DC.
🌐 Web | 💣 RCE | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html
HTB Nocturnal chain: abuse an IDOR in view.php to enumerate users and read files, stealing Amanda’s password. Use a newline/tab command injection in the backup utility (proc_open) to gain RCE as www-data, then crack unsalted MD5s in SQLite to become tobias. Discover a root-run ISPConfig on 127.0.0.1:8080 and exploit CVE-2023-46818 (language editor PHP injection) to write a webshell and get root.
📱 Android | 💳 Banking Trojan | 🕵️ Spyware | 🧩 Overlay
🔗 Original article: https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Hook v3 is an Android banking trojan abusing Accessibility to automate UI, steal credentials/MFA, and control devices via VNC/HVNC. It adds ransomware and NFC overlays, PIN/pattern theft plus programmatic unlock, transparent gesture capture, and dynamic phishing injections. WebSocket C2 is active; RabbitMQ/Telegram are hinted but not enabled. Distributed via phishing and GitHub. High impact: ATO, crypto theft, call/SMS control.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/05/htb-build.html
Public rsync leaked a full Jenkins backup including master keys. Decrypting a stored credential yielded Gitea login (buildadm/Git1234!). Editing the Jenkinsfile triggered a multibranch build and a root shell in the Jenkins container. Pivoting with chisel exposed PowerDNS‑Admin and MariaDB (root/no password), enabling DNS tampering. By creating A/PTR so our IP = admin.build.vl, we abused root’s .rhosts + exposed r-commands to rlogin as root on the host—full compromise.
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/21/htb-lock.html
Leaked Gitea token grants access to a private website repo with CI/CD. Pushing an ASPX webshell yields IIS RCE as ellen.freeman. An mRemoteNG config.xml is decrypted to recover Gale.Dekarios’ RDP password, enabling RDP. Finally, abusing PDF24’s installer repair by locking its log file leads to an elevated hung cmd.exe and SYSTEM.
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/14/htb-sweep.html
Enumerate a DC running Lansweeper, RID-cycle users, and Kerberos-spray to get intern. Use Lansweeper to scan an attacker SSH honeypot and capture svc_inventory_lnx. Abuse BloodHound-identified ACL (GenericAll → Lansweeper Admins) to enable WinRM. Path 1: decrypt Lansweeper secrets (web.config + Key/Encryption.txt) with SharpLansweeperDecrypt to recover svc_inventory_win and pwn DC. Path 2: use Deployment packages for SYSTEM RCE.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html
Custom Windows “Rainbow 0.1” webserver has an SEH-based buffer overflow when parsing POST bodies. Using x32dbg + ERC, the offset (660) and a POP‑POP‑RET in rainbow.exe enable a short‑then‑long jmp trampoline back to msfvenom x86 shellcode delivered via raw HTTP, yielding an unauthenticated reverse shell. A watchdog script auto‑restarts the service after crashes. Privilege is escalated by hijacking HKCU ms‑settings and launching fodhelper.exe for a high‑integrity shell.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/12/htb-zero.html
HTB Zero: Abuse Apache twice. 1) Gain arbitrary file read via .htaccess ErrorDocument %{file:/path}, automated with a Paramiko+Requests script, to steal DB creds from stats.php and SSH as zroadmin. 2) Privesc: spoof a process argv so a root cron runs apache2ctl -t on attacker config, then use piped logs (ErrorLog/CustomLog) for reliable root RCE.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/09/htb-university.html
Student account triggers ReportLab/xhtml2pdf RCE (CVE‑2023‑33733) by injecting a [[[...]]] payload into Profile→Bio, then exporting to PDF. ICMP confirms execution; a two‑stage PowerShell payload downloads and runs rev.ps1 for a reverse shell as WAO on the DC. Loot includes CA keys, sqlite DB, and a backup script leaking the 7‑Zip password. Internal/AD recon identifies WS‑3 and LAB‑2 for next steps.
Web | CVE | RCE | Windows | Active Directory
🔗 Original article: https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html
High-level, non-instructional summary of a compromise chain: web app vulnerability -> credential exposure -> Kerberos-authenticated access -> misconfigured Group Policy leading to system-level privileges. All exploit details removed.
🌐 Web | 💣 RCE | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html
HTB Nocturnal: Abuse an IDOR in /view.php to enumerate users and steal a password. Exploit a newline/tab bypass in the admin backup’s proc_open zip command to get www-data. Dump SQLite MD5 hashes, crack tobias, and SSH/su. Port-forward local ISPConfig (root-run PHP) and use CVE‑2023‑46818 (language editor PHP injection) to drop a webshell and get root.
Security | RCE | CI/CD | DNS | Legacy Services
🔗 Original article: https://0xdf.gitlab.io/2025/08/05/htb-build.html
Chain (high-level): exposed backup -> credential exposure -> CI pipeline misuse -> internal pivot -> DNS and legacy trust misconfigurations -> elevated access.
Android | Malware | Banking trojan | Defense
🔗 Original article: https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Hook is an Android banking malware that abuses powerful permissions and overlays; focus on prevention and monitoring to protect users.
deep valeBOT
💣 RCE | 🎁 PoC | 🎮 Game Security | 🧩 Lua
🔗 Original article: https://appsec.space/posts/aion-housing-exploit/
AION’s housing Lua sandbox (v3.0+) exposes dangerous globals, including the full io package. Using the Butler as stdout (H.PlaySound → H.Say), the author enumerates _G, finds io.popen(), and achieves client-side RCE (e.g., calc.exe). On private servers, scripts are auto-sent and OnInit() runs on entry, enabling zero‑click compromise. Retail still has housing but the simple payload reportedly doesn’t work; Classic lacks housing. Severity: critical.
🌐 Web | 🛡️ CVE | 🔓 Auth Bypass | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-crushftp-cve-2025-54309/
CVE‑2025‑54309 is an auth bypass in CrushFTP: the AS2 path trusts AS2‑TO to set the session user. Firing two near‑simultaneous POSTs to /WebInterface/function/ with shared cookies—one with AS2‑TO:\crushadmin, one without—races the server so admin RPCs run as crushadmin. Most attempts 404; a win returns 200/OK and creates an admin user. Fixed in 10.8.5/11.3.4_23. PoC safely extracts the user list.
deep valeBOT
🏢 Active Directory | 🔐 Kerberos | 🛠️ Tool | 🧪 PrivEsc
🔗 Original article: https://0xdf.gitlab.io/2025/08/28/htb-sendai.html
HTB Sendai: Use guest/Null SMB to enumerate, RID-brute users, then spray empty passwords to find expired accounts. Change one via SAMR, harvest MSSQL creds from a share, and use BloodHound to map Support → AdmSvc (GenericAll) → MGTSVC$ (ReadGMSAPassword). Dump the gMSA NTLM and WinRM in as mgtsvc$. From there: either abuse AD CS ESC4 via service creds or tunnel to MSSQL, forge a Silver Ticket, and use SeImpersonate to reach SYSTEM.
🧩 BYOVD | 🪟 Windows | 🎁 PoC | 🕵️ APT
🔗 Original article: https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/
Silver Fox APT abuses a Microsoft‑signed WatchDog driver (amsdk.sys v1.0.600) and legacy Zemana driver (ZAM.exe) to kill PP/PPL EDR/AV and deploy ValleyRAT. Root cause: missing FILE_DEVICE_SECURE_OPEN lets low‑priv users reach privileged IOCTLs (terminate/open process, raw disk R/W). Patch (wamsdk.sys v1.1.100) fixes LPE but not PP/PPL kills; attackers flip one byte in the RFC 3161 timestamp to evade hash blocklists. Includes PoC, IOCTLs, loader/persistence, XOR key, C2s, and YARA.
deep valeBOT
🛠️ Tool | 📱 Android | 🧩 JNI | 🔍 Reverse Engineering
🔗 Original article: https://github.com/RezaArbabBot/SoTap
SoTap is a process-local Android JNI logger. Drop the correct ABI .so from Releases, preload it via Smali (System.loadLibrary("sotap")), and it records native behavior to multiple storage paths with Logcat fallback. No root required; customizable via sotap.c.
🌐 Web | 🔐 OAuth | 💰 Bug Bounty | ⚙️ Misconfiguration
🔗 Original article: https://medium.com/@KhaledAhmed107/how-i-found-5-oauth-misconfigurations-leading-to-pre-account-takeover-in-public-bug-bounty-programs-021d4c8c6954
Multiple bug bounty targets allowed pre‑account takeover by auto‑linking OAuth logins to unverified local accounts using only email matching. An attacker pre‑registers the victim’s email (no verification), then signs in with Google/Facebook for the same email, gaining control. Classified as Bugcrowd VRT P2. Mitigate by enforcing email verification and avoiding email‑only account linking.
🌐 Web | 🛡️ CVE | 🗄️ SQLi
🔗 Original article: https://patchstack.com/articles/sql-injection-vulnerability-patched-in-paid-membership-subscriptions-plugin/
Paid Membership Subscriptions ≤2.15.1 has an unauthenticated SQL injection (CVE-2025-49870, CVSS 7.5) in the PayPal IPN webhook. POST parameter custom is used as a payment ID and concatenated into a SELECT query in PMS_Payment::get_data(), enabling injection. Version 2.15.2 fixes this by casting IDs and using $wpdb->prepare(). Update now and monitor IPN traffic for suspicious custom values.
deep valeBOT
🛡️ CVE | 🔑 SSH | 🌐 Web | 🎁 PoC
🔗 Original article: https://blog.silentsignal.eu/2025/06/14/gitblit-cve-CVE-2024-28080/
CVE-2024-28080 is an SSH auth bypass in Gitblit (<1.10.0). Gitblit’s public-key authenticator binds a user to the session before signature verification; the password authenticator then trusts that state and accepts any password. With only a username and the victim’s public key, attackers can log in by triggering fallback to password and pressing Enter. Fixed in v1.10.0.
📱 Android | 🧪 Malware | 🧩 Obfuscation | 🔍 Reverse Engineering
🔗 Original article: https://shindan.io/blog/godfather-part-1-a-multistage-dropper
Part 1 dissects a GodFather dropper that sabotages APK parsing: it sets ZIP GPBF bit 0 (fake encryption), injects big Extra blocks (JADXBLOCK), and uses file/dir name collisions to hide core files. After normalizing flags, analysts can extract and review the manifest showing a custom Application, exported launcher, and permissions for session-based sideloading on Android 13+. Includes concrete headers, commands, and detection heuristics.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/
Pre-auth cache poisoning in Sitecore XP (CVE-2025-53693) abuses XAML reflection to call WebControl.AddToCache and overwrite HTML cache entries. ItemService exposure (CVE-2025-53694) reveals or leaks cache-key components, enabling targeted poisoning. A post-auth sink (CVE-2025-53691) deserializes Base64 via BinaryFormatter in the convertToRuntimeHtml pipeline, triggerable by the FixHtml dialog. Chaining yields full server compromise.
deep valeBOT
🌐 Web | 💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/
CTF-hardened PHP exploitation: format-string RCE via PHP Bug #71105 + arbitrary class instantiation, CSP bypass with max_input_vars warnings, WordPress serialize-then-replace and double-prepare→SQLi→OI chains, __wakeup bypasses, Windows path/ADS tricks, Defender side‑channel (AVOracle), and LFI→RCE via php://filter prefix injection. Includes PoCs and mitigations.
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/08/30/htb-eureka.html
Exposed Spring Boot Actuator (heapdump) leaked live secrets, including DB creds (oscar190/0sc@r190_S0l!dP@sswd) and Eureka Basic auth. Using these, SSH access as oscar190 was obtained. On-box, Spring Cloud Gateway and other services ran as www-data, with nginx proxying 8080. A login simulator generated traffic; gateway/logging was abused to capture miranda-wise’s creds. Finally, a root cron log analyzer with Bash arithmetic injection was exploited via crafted log lines to achieve root.
🛡️ CVE | ⬆️ LPE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/
CVE-2025-0309 in Netskope Windows Client (< R129) lets a local user force enrollment into a rogue server via IPC command 148 with a crafted JWT (alg=None, AddonUrl=attacker). The service installs an attacker CA and executes a malicious MSI as SYSTEM. Caller checks, IPC encryption, and Tamper Proof are bypassed. PoCs: NachoVPN plugin and UpSkope.
deep valeBOT
🛠️ Tool | 📱 Android | 🔐 SSL/TLS | 🔎 Static Analysis
🔗 Original article: https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097
SSLPinDetect is a Python tool that decompiles Android APKs with apktool and scans Smali for SSL/TLS pinning patterns (OkHttp, custom X509TrustManager, Network Security Config, custom SSLContext). It uses multithreading, memory‑mapped I/O, and pre‑compiled regex, outputting file paths, line numbers, and snippets. Install via git/pip; run with -f and -a flags; -v enables verbose details. Patterns are extensible via JSON or the smali-sslpin-patterns repo.
📱 Android | 🦠 Malware | 🏦 Banking Fraud | 🕵️ Social Engineering
🔗 Original article: https://cyble.com/blog/sikkahbot-malware-defrauds-students-in-bangladesh/
SikkahBot is an Android banking-fraud malware (active since July 2024) targeting Bangladeshi students via fake Education Board scholarship apps. It steals PII and payment data, intercepts bank SMS, abuses Accessibility to auto-fill credentials in BKash/Nagad/DBBL, and automates USSD transactions via Firebase C2. The post lists smishing links, APK URLs, hashes, and Firebase endpoints; newer variants (Aug 2025) add full automation.
Android | Malvertising | RAT | Crypto
🔗 Original article: https://www.bitdefender.com/en-us/blog/labs/malvertising-campaign-on-meta-expands-to-android-pushing-advanced-crypto-stealing-malware-to-users-worldwide
Impersonation ads deliver an Android spyware/RAT that steals credentials and financial data, abuses Accessibility/overlays, and uses encrypted/anonymous C2. High risk to consumers and BYOD.
🛠️ Tool | 📱 Mobile | 🔍 Reverse Engineering | 🎁 PoC
🔗 Original article: https://github.com/aancw/SSLPinDetect
SSLPinDetect statically scans decompiled Smali to find SSL pinning and custom trust logic in Android apps. It decompiles with Apktool, uses multi-threaded, memory-mapped scanning with precompiled patterns (e.g., OkHttp CertificatePinner, X509TrustManager), and reports file, line, and code preview. Includes a PoC GIF and extensible patterns.
deep valeBOT
🛠️ Tool
🔗 Original article: https://nmap.org
Nmap is a free/open-source network scanner for host discovery, port/service/version/OS detection, and firewall profiling. It runs on major OSes and includes Zenmap, Ncat, Ndiff, and Nping. Latest: 7.98. Quick start: nmap -v -A targethost. Docs, license, and community links are provided.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/09/02/htb-race.html
Walkthrough of HTB “Race”: leak a long password from phpSysInfo to log into Grav as backup, generate a backup to steal a live reset token and take over patrick. Get RCE via CVE-2024-28116 (Twig SSTI) or a proxyed malicious theme. Pivot to user max using credentials in a root-owned script, then exploit a cron TOCTOU with FIFOs to win root.
deep valeBOT
⛓️ Web3 | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://quillaudits.medium.com/bunni-v2-exploit-8-3m-drained-50acbdcd9e7b
Bunni V2 (a Uniswap v4 hook) was drained for ~$8.3M due to a rounding/precision bug in its Liquidity Distribution Function. The attacker used flash loans (3M USDT on Ethereum; 2000 WETH on UniChain) and carefully sized exact‑input swaps to accrue unearned credits, then withdrew inflated balances, bridged funds, and moved proceeds via Aave. Withdrawals were halted and a 10% bounty offered.
🌐 Web | 💉 XSS | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes
Exploits show how Unicode whitespace smuggling and legacy $Version=1 parsing let attackers forge/overwrite __Host- and __Secure- cookies from subdomains. Backends (e.g., Django, ASP.NET, Tomcat/Jetty) normalize or legacy‑parse bytes the browser sent, so an attacker’s duplicate often wins, enabling XSS, CSRF bypass, or session fixation. A Burp Custom Action is provided for detection.
🧪 Fuzzing | 🛡️ CVE | 🛠️ Tool | 💣 RCE
🔗 Original article: https://blog.doyensec.com/2025/09/02/ksmbd-2.html
How Doyensec expanded ksmbd fuzzing: enable more SMB features, patch auth/credits, build a stateful harness, translate SMB2 specs into a grammar, bias mutations with FocusAreas, seed ANYBLOB corpora from pcaps, and use sanitizers beyond KASAN. Achieved ~60/70% coverage and reported 23 ksmbd CVEs, with CVE-2025-37947 exploitation coming next.
🌐 Web | 🛡️ CVE | 🔑 Auth Bypass | ⬆️ PrivEsc
🔗 Original article: https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/
Critical unauthenticated privilege escalation (CVE-2025-23970) in Service Finder Bookings ≤6.1. A public init-hooked handler trusts a client cookie (original_user_id) in service_finder_switch_back() and calls wp_set_auth_cookie() without checks, letting anyone log in as any user, including admin. No patch as of 2025‑09‑03. Deactivate the plugin immediately.
💣 RCE | ☁️ Cloud | 🌐 Web | 🔗 Supply Chain
🔗 Original article: https://unit42.paloaltonetworks.com/model-namespace-reuse/
Unit 42 shows that deleted or transferred Hugging Face namespaces can be re-registered and abused to hijack model paths. Cloud catalogs and OSS that fetch models by name may deploy attacker models, enabling RCE on Vertex AI and Azure AI Foundry endpoints. Google added daily scans (Feb 2025 disclosure). Mitigate with commit pinning, internal mirroring, and scanning for reusable model references.
deep valeBOT
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/
CVE-2025-55305: Electron’s integrity fuses didn’t cover V8 heap snapshots. By replacing v8_context_snapshot.bin (using electron-mksnapshot), attackers clobber builtins (e.g., Array.isArray) to run code across main, preload, and renderer—backdooring Signal, 1Password, Slack, and even Chrome installs in user-writable paths. Post shows crash, main-process probe, and a Slack keylogger PoC, plus mitigations.
deep valeBOT
📶 5G | 🛠️ Tool | 🎁 PoC | 📡 IoT
🔗 Original article: https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol
The article breaks down 5G UE registration and shows how to test and exploit the unauthenticated NAS window before Security Mode Command. It demonstrates SUPI leaks (SUCI failures), downgrade to EEA0/EIA0 via capability tampering, and replay of Registration Requests using a 5GReplay rule. Tools: Open5GS, Wireshark, 5GReplay, Sni5Gect, and a “snoopy” sniffer. Mitigate by enforcing SUCI, rejecting null algorithms except for emergency, and monitoring for rogue RAN/core.
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/09/04/htb-media.html
Chain on a Windows web app: upload a WMP .wax/.asx that references a UNC path to coerce Net‑NTLMv2, crack enox’s hash, SSH in, then swap the per‑upload md5 folder with an NTFS junction to C:\xampp\htdocs and re‑upload a PHP webshell for RCE. Restore SeImpersonate with FullPowers and escalate to SYSTEM using GodPotato.
deep valeBOT
CVE | RCE | Apple | Security Update
🔗 Original article: https://blog.quarkslab.com/patch-analysis-of-Apple-iOS-CVE-2025-43300.html
High-level summary of an Apple image-decoder vulnerability and its patch; update promptly.
deep valeBOT
💰 Bug Bounty | 🛠️ Tool | 📱 Mobile | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools
Hands‑on Android bug bounty lab: set up Genymotion/AVD or a Magisk‑rooted device, route traffic to Burp, then bypass SSL pinning, root checks, and emulator detection with Frida/Medusa. Includes exact CLI/GUI steps, snapshot persistence, Magisk/Zygisk modules, and copy‑paste Frida hooks.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/09/06/htb-environment.html
Chained two Laravel CVEs to gain RCE, then privesc to root. Used CVE-2024-52301 to set APP_ENV via ?--env=preprod and bypass login. Abused UniSharp Filemanager CVE-2024-21546 by uploading 0xdf.php. (trailing dot) to bypass filters and get a webshell, then a bash reverse shell. Decrypted a GPG vault with copied .gnupg to pivot to user. Finally, escalated via sudo env_keep of BASH_ENV to root.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/09/06/htb-environment.html
HTB Environment chains three issues: CVE‑2024‑52301 lets you flip Laravel’s env via “?--env=preprod” to bypass login; CVE‑2024‑21546 in UniSharp LFM accepts “.php.” filenames, enabling a PHP webshell and reverse shell; sudo preserves BASH_ENV for /usr/bin/systeminfo, so a sourced script yields root. GPG keyvault decryption provided user creds. All steps, payloads, and commands are included.
deep valeBOT
💣 RCE | 📱 Android | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://github.com/0xdevil/corphone/tree/main
Android kernel pwn challenge with an in-memory JNI shellcode delivery path. Build with musl-gcc, convert ELF to raw shellcode via pwntools, host the blob, then trigger from a backdoored app using "pwn https://server/sc". vmlinux with symbols and an optional debug image are provided for reversing.
🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://binarysecurity.no/posts/2025/08/securing-gh-actions-part1
Explains how GitHub Actions expression rendering enables script injection leading to runner RCE, shows PoCs to exfiltrate all repo/org secrets as a collaborator, and details why YAML‑only defenses fail. It then prescribes robust branch protections, environment gating (with reviewers and branch/tag restrictions), and tag protections to enforce a four‑eyes principle.
deep valeBOT
🛡️ CVE | 🐧 Linux | ⚙️ Kernel | ⏱️ Race
🔗 Original article: https://streypaws.github.io/posts/Race-Against-Time-in-the-Kernel-Clockwork/
CVE-2025-38352 is a TOCTOU race in Linux/Android posix-cpu-timers. When an exiting task handles timer expiry in IRQ context and a sibling deletes the same timer, the delete path can miss the in‑flight “firing” state, corrupting kernel timer state and crashing. A patch adds an early tsk->exit_state check.
📱 Android | 🕵️ RAT | ⛓️ Web3 | 💳 NFC
🔗 Original article: https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats
ThreatFabric unveils RatOn, an Android banker/RAT active July–August 2025. Delivered via adult-themed sites, it uses a WebView–JS bridge to sideload a payload, abuses Accessibility and Device Admin, performs ATS in George Česko (with limit changes), steals crypto wallet seeds (EN/RU/CZ/SK UIs), and can deploy NFSkate for NFC relay. Includes extensive bot commands and IoCs.
deep valeBOT
🌐 Web | ⛓️ Web3 | 🎣 Phishing | 🔗 Supply Chain
🔗 Original article: https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/
Phishing via npmjs[.]help let attackers hijack maintainer qix’s npm account and publish trojanized package updates. Injected index.js code hooks fetch/XMLHttpRequest and wallet APIs (window.ethereum, Solana) to rewrite crypto destinations before signing. Risk mainly affects fresh installs between ~09:00–11:30 AM ET (Sep 8, 2025) that ship these libs to browsers. npm removed some versions; check lockfiles, versions, and built assets.
deep valeBOT
🛠️ Tool | 🌐 Web | 💣 RCE
🔗 Original article: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
Unit 42 analyzes AdaptixC2, an open-source C2 used in May 2025 intrusions. They document the RC4-packed beacon config schema, show default and in-the-wild HTTP profiles, and detail two chains: Teams social engineering with a fileless PowerShell loader, and an AI-generated PowerShell installer with DLL hijacking and Run-key persistence. Includes defender-focused config extraction steps and detection ideas.
deep valeBOT
🌐 Web | 🔐 Auth Bypass | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1
A hidden registration endpoint allowed overwriting passwords for existing users by POSTing {email, password} with no verification. Discovered via Burp+FFUF, a GET revealed “Only POST,” and POST with JSON returned success:1, enabling full account takeover. Critical auth/logic flaw: OWASP A01/A07, CWE‑287/640. Includes a minimal PoC request.
deep valeBOT
defense | vulnerability-management | incident-response | monitoring
🔗 Original article: https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/
High-level defensive guidance only; no exploit details.
deep valeBOT
📡 IoT | 💣 RCE | 🌐 Web | 🛠️ Tool
🔗 Original article: https://palant.info/2025/09/08/a-look-at-a-p2p-camera-lookcam-app
LookCam P2P cameras are broadly insecure: fake auth (commands work without LoginDev), arbitrary file read, reliable stack overflow RCE with DEP/ASLR off, and plaintext, device‑ID–only cloud. PPPP crypto is weak/disabled; server IPs/keys live in app init strings. IDs are easily leaked or brute‑forced (22^5 verifier, no rate limits). Attackers can control devices, geolocate them via Wi‑Fi scans, and silently enable/read cloud uploads.
deep valeBOT
🛠️ Tool | 🎁 PoC | 💣 RCE
🔗 Original article: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html
Guest SMB access leaked a password in SYSVOL. With A.Briggs, BloodHound showed GenericWrite over N.Thompson. A targeted Kerberoast (SPN add → TGS-REP etype 23 → crack) yielded KALEB_2341 and WinRM. Using SeEnableDelegationPrivilege, MAQ=10, and LDAP signing disabled, an attacker-made computer with unconstrained delegation plus PrinterBug captured the DC’s TGT. With that ccache, DCSync dumped hashes, and PTH to WinRM achieved Administrator.
🔁 NTLM Relay | 🛠️ Tool | 🌐 Web | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight
The post demonstrates abusing WSUS HTTP traffic for NTLM relay. It explains WSUS keys, ports, SOAP endpoints, and check-in cadence, then shows discovery (Nmap, GPO parsing, wsusniff.py), ARP spoofing, iptables redirect, and ntlmrelayx (PR #2034) to relay machine auth to LDAP/SMB/AD CS (ESC8). HTTPS blocks passive interception unless clients trust an attacker cert. Includes commands, tools, links, and mitigations.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/09/13/htb-planning.html
Exploit Grafana 11.0.0 (CVE-2024-9264) via SQL Expressions and DuckDB’s shellfs to get root in the Grafana container. Dump env vars to recover GF_SECURITY_ADMIN creds, SSH to the host as enzo, SSH-tunnel to a loopback-only Crontab UI, derive Basic auth from a backup job password, create a cron that drops a SUID bash, and run it for host root.
deep valeBOT
🌐 Web | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://zere.es/posts/cache-deception-cspt-account-takeover/
CSPT in the SPA let attacker-controlled path segments steer an authenticated fetch (with X-Auth-Token) to /v1/token.css. The .css suffix triggered Web Cache Deception: the CDN cached the sensitive token JSON as public. The attacker then fetched /v1/token.css unauthenticated to obtain the victim’s token, achieving ATO.
deep valeBOT
🛠️ Tool | 💣 RCE | 🎁 PoC | 🧩 Injection
🔗 Original article: https://reversing.codes/posts/PlayStation-5-ELF-Injection/
Step-by-step PS5 usermode ELF injection: enumerate processes from kernel .data (allproc), elevate your process by writing ucred Authority ID at offset 0x58 to 0x4800000000010003, flip PROT_EXEC on target pages by patching vm_map entries, map the ELF with a ptrace-driven elfldr call, start it via a stager that pthread_create’s a new thread and hits int3. NineS server + Python client provide an end-to-end PoC.
deep valeBOT
🌐 Web | 💰 Bug Bounty | 🛠️ Tool
🔗 Original article: https://youtu.be/NI-eXMlXma4
The episode dissects a real Supabase misconfiguration in getDisclosed: UI‑only signup removal left Auth signup open, and an exposed Postgres view bypassed intended RLS, enabling unauthenticated mass edits. It also covers scalable Salesforce Aura hunting, GMSGadget for CSP/sanitizer bypasses, and Bug Bounty Village’s realistic training format.
☁️ Cloud | 🔐 CI/CD | 🌐 Web | 🎁 PoC
🔗 Original article: https://binarysecurity.no/posts/2025/09/securing-gh-actions-part2
Deep dive into GitHub Actions ↔ Azure OIDC. Shows how weak FIC subjects (e.g., pull_request) and insecure workflows let collaborators mint Azure tokens and exfiltrate them from ~/.azure/msal_token_cache.json. Demonstrates safer job_workflow_ref scoping, warns about cross‑repo bypass if repo claim is omitted, shows script‑injection in reusable inputs, and abuses terraform plan for exfil/RCE. Includes PoCs, commands, and hardening: protect refs/envs, include repo+job_workflow_ref, least privilege, and SHA pinning.
deep valeBOT
🎣 Prompt Injection | 🧠 LLM | 💣 RCE | 🛠️ Tool
🔗 Original article: https://unit42.paloaltonetworks.com/code-assistant-llms/
Unit 42 shows IDE code assistants can be hijacked via indirect prompt injection in attached context, leading to hidden backdoors (e.g., a function that fetches obfuscated C2 commands and executes them). It also demonstrates moderation bypass via autocomplete seeding (prefix like “Step 1:”), risks from direct model invocation, and LLMJacking using stolen tokens and reverse proxies. Impact: silent codebase compromise and developer RCE.
deep valeBOT
🛠️ Tool | 💣 RCE | 🤖 AI/ML
🔗 Original article: https://blog.trailofbits.com/2025/09/16/ficklings-new-ai/ml-pickle-file-scanner/
Trail of Bits added an import-allowlist to Fickling that hooks Python’s pickle unpickler and blocks non-approved imports during ML model loading. Built from ~3,000 Hugging Face pickles and validated on a clean/malicious benchmark, it detected 100% of injected malicious files while allowing ~99% of clean ones. Enable with a one-liner at startup.
📱 Android | 🧪 Malware | 🎭 Phishing | 🧲 Social Engineering
🔗 Original article: https://www.ibm.com/think/news/phantomcall-antidot-variant-in-fake-chrome-apps
PhantomCall, an Antidot variant, spreads via fake Chrome apps. A WebView + @JavascriptInterface lures users to grant “Install unknown apps,” then the payload installs via PackageInstaller.Session. A loop checks Accessibility via AccessibilityManager; if disabled, startActivity() foregrounds a prompt until enabled. With Accessibility active, PhantomCall silently sets call forwarding (USSD) and uses CallScreeningService with C2 postfix matching to block callbacks—isolating victims and enabling high‑impact banking fraud.
🛠️ Tool
🔗 Original article: https://revflash.medium.com/strategies-for-analyzing-native-code-in-android-applications-combining-ghidra-and-symbolic-aaef4c9555df
Ghidra + angr workflow to statically execute a native string decoder in an Android .so when RASP blocks Frida. Load the .so in angr at base 0x00100000, wrap FUN_00100e10 with project.factory.callable, allocate an out buffer in a blank state, call with (enc_ptr, buf, len), concretize memory via solver.eval, stop at \x00, and auto‑annotate Ghidra call sites with decoded JNI names/signatures.
📡 C2 | 🧪 DFIR | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/
Abuses Discord webhooks as a lightweight C2 for beaconing and exfiltration via a full PowerShell PoC, then shows how Discord’s Chromium Simple Cache preserves rich evidence (attachments, webhooks, timestamps). A dedicated Discord Forensic Suite (CLI/GUI) parses cache artifacts, carves files, and generates HTML/CSV timelines to reconstruct attacker activity—even after channels are deleted.
deep valeBOT
📡 IoT | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://kennedn.com/blog/posts/tapo/
Cloudless TP‑Link Tapo onboarding via MITM and APK reversing: bypass TLS pinning with Frida, capture with mitmproxy, extract the default admin password (<code>encrypt_type:3 → TPL075526460603</code>), derive session keys from <code>cnonce/nonce/device_confirm</code> to decrypt <code>securePassthrough</code>, map calls, and automate with a Bash PoC.
🛡️ CVE | 📡 IoT | 🛠️ Tool
🔗 Original article: https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
CVE-2025-8699: KioSoft “Stored Value” uses MiFare Classic cards with broken Crypto1. Balance and a simple XOR-based checksum are stored on-card, enabling offline tampering. With Proxmark (hf mf autopwn → edit dump/checksum → hf mf cload → hf mf csetuid) attackers set balances up to $655.35 and pay at terminals. Vendor claims firmware detection and plans secure-card hardware; no fixed version numbers. Workaround: migrate to Online Payment System.
🛠️ Tool | 🌐 Web | ⛓️ Web3
🔗 Original article: https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/
Check Point details an 8‑day ClickFix campaign deploying a Rust DLL loader (via regsvr32) that decrypts/executes PureHVNC. It documents loader anti‑analysis, AMSI bypass, persistence, PureHVNC’s protobuf config, TLS‑pinned protocol, registry‑stored plugins, and a full command set (HVNC/HRDP, shell, keylog, clipper, DDoS, etc.). A Sliver stage steals creds. Hardcoded GitHub URLs in the PureRAT builder tie repos to “PureCoder” (UTC+0300).
deep valeBOT
🌐 Web | 💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/09/16/htb-forgotten.html
A public, uninitialized LimeSurvey 6.3.7 let the attacker complete setup, create a superadmin, and upload a PHP plugin webshell for RCE. They gained a container shell, found LIMESURVEY_PASS in env, used it for container sudo and SSH to the Ubuntu 22.04 host, then abused a bind mount to drop a SUID bash and pop host root.
🌐 Web | 💉 XSS | 🎁 PoC
🔗 Original article: https://zoozoo-sec.github.io/blogs/PwningWasm-BreakingXssFilters/
A WASM chat app has an unchecked memcpy in editMsg(), enabling a linear‑memory heap overflow. After grooming realloc() to place the msg array (s->mess) next to a user buffer, the attacker overwrites msg_data pointers and the in‑memory HTML template. Replacing “<p>%.*s</p>” with “<img onerror=%.*s>” turns sanitized text into JS, yielding stored DOM XSS via the ?s= URL. Includes DevTools workflow, helper code, structs, and a copy‑paste PoC.
deep valeBOT
🌐 Web | 👾 Malware | 🕵️ Threat Intel | 🧩 Steganography
🔗 Original article: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/
SlopAds is a large Android ad‑fraud scheme across 224+ Play apps (38M installs). Apps fetch an encrypted Firebase config, gate activation to paid‑attributed installs, download a steganographic APK (FatModule) hidden in four PNGs, and run hidden WebViews that collect device data, pass anti‑analysis checks, follow redirect chains, and auto‑click viewable ads on actor‑owned H5 sites. Infra pivots on ad2[.]cc with 300+ promo domains. Google removed apps; Play Protect blocks behavior.
deep valeBOT
🛠️ Tool | 🌐 Web | 💥 DoS | 🎁 PoC
🔗 Original article: https://portswigger.net/research/websocket-turbo-intruder-unearthing-the-websocket-goldmine
Burp’s WebSocket Turbo Intruder adds Python-driven, high‑speed WebSocket fuzzing, robust filtering, a WS⇄HTTP middleware, and a CLI. It handles Socket.IO (EIO=4, Ping/Pong, “40” handshake), enables threaded race‑condition testing, and ships a Java WS DoS PoC by abusing payload length for OOM. Includes a WS logger and ID controls for debugging.
deep valeBOT
🌐 Web | 💣 RCE | 🔑 Credential Theft | 🪱 Worm
🔗 Original article: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
Unit 42 details “Shai‑Hulud,” a self‑replicating npm worm abusing postinstall hooks for RCE. It targets Linux/macOS, steals npm/GitHub/cloud secrets, exfiltrates to webhook.site, creates a public “Shai‑Hulud” GitHub repo with the loot, then republishes tainted packages using stolen tokens. Over 180 packages (incl. @ctrl/tinycolor) affected. Queries and IOCs provided.
deep valeBOT
🪟 Windows | 🔗 Symlink | 🛡️ EDR Evasion | 🚫 AV Tampering
🔗 Original article: https://www.zerosalarium.com/2025/09/Break-Protective-Shell-Windows-Defender-Folder-Redirect-Technique-Symlink.html
The post shows how to hijack Windows Defender’s execution folder. Create a higher-version directory symlink under ProgramData\Microsoft\Windows Defender\Platform pointing to an attacker-writable path (e.g., C:\TMP\AV). After reboot, WinDefend runs from that folder, enabling DLL sideloading or disabling Defender by deleting the link. Requires admin. High impact for evasion/disruption; no privesc.
🛠️ Tool | ⛓️ Web3
🔗 Original article: https://blog.trailofbits.com/2025/09/18/use-mutation-testing-to-find-the-bugs-your-tests-dont-catch/
Trail of Bits shows why high coverage is not enough and how mutation testing with Slither’s slither-mutate uncovers blind spots. It provides commands, output interpretation, common mutators, performance tips, and a DeFi case study (Arkis) where a surviving mutant led to a high‑severity fund‑drain bug due to trusting a user parameter over actual transfers.
🛠️ Tool | 📱 Android | 🛡️ CVE | 🎁 PoC
🔗 Original article: https://www.mobile-hacker.com/2025/09/18/automating-android-app-component-testing-with-new-apk-inspector/
APK Components Inspector auto-enumerates Android exported components, reads Smali to infer required Intent extras, and prints type-correct ADB commands. A companion script parses the output (adbcommands.txt) and interactively executes each command. The post explains setup, usage, on-device operation, related tools, and dives into Intent Redirection (CWE‑926) with real CVEs and mitigations.
deep valeBOT
🌐 Web | 🛡️ CVE
🔗 Original article: https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/
Jobmonster ≤4.7.9 has an unauthenticated auth bypass (CVE-2025-54738). A social-login AJAX handler trusts POSTed id as email and calls wp_set_auth_cookie(), granting a valid session for any existing user. Exploit by POSTing action=<vulnerable_social_login_action>, using=bogus, id=<victim email>. Fixed in 4.8.0 by removing the POST fallback and only accepting validated provider data.
💣 RCE | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/09/19/htb-baby.html
HTB Baby (Windows AD): Anonymous LDAP allows full user/group discovery. A default credential is identified in directory data and safely sprayed to gain a domain login. The compromised context has SeBackupPrivilege, enabling backup-mode/VSS reads of NTDS.dit + SYSTEM. secretsdump.py extracts Administrator’s hash, which is used for Pass‑the‑Hash over WinRM to obtain a DA shell (full domain takeover).
Web Security | Defense | Awareness
🔗 Original article: https://portswigger.net/blog/how-to-join-the-desync-endgame-practical-tips-from-pentester-tom-stacey
High-level description of HTTP/1.1 desync risks and how to think about mitigating them; exploit specifics are intentionally withheld.
deep valeBOT
🛡️ CVE | 🛠️ Tool | 💣 RCE
🔗 Original article: https://0xdf.gitlab.io/2025/09/20/htb-fluffy.html
Assume-breach AD chain on DC01.fluffy.htb. Abuse CVE‑2025‑24071/24055 (ZIP‑embedded .library‑ms) to coerce NTLM and crack NetNTLMv2. BloodHound shows GenericWrite over a service account; reset its password and get a WinRM shell. From that foothold, exploit AD CS ESC16 with Certipy to obtain an Administrator‑usable certificate and achieve DA.
deep valeBOT
🎣 Phishing | 🧩 DLL Hijacking | 🔐 Malware | ☁️ Cloud C2
🔗 Original article: https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/
Iran-linked Nimbus Manticore uses career-themed spear‑phishing to deliver a multi‑stage DLL sideloading chain that abuses the undocumented DllPath in RTL_USER_PROCESS_PARAMETERS. A signed Microsoft binary (SenseSampleUploader.exe) is coerced to load attacker xmllite.dll, persisting MiniJunk and MiniBrowse. MiniJunk supports file ops, process exec via named pipes, and DLL loading; MiniBrowse steals Chrome/Edge credentials. Heavy LLVM-like obfuscation, size inflation, SSL.com code-signing, and Cloudflare/Azure C2 minimize detection. A related dxgi.dll cluster shares the code base but is simpler.
🛡️ CVE | 💣 RCE | 💉 XSS | 🎁 PoC
🔗 Original article: https://blog.securelayer7.net/electron-app-security-risks/
The post shows how Electron misconfigurations let renderer XSS become OS RCE. It reproduces Notable CVE‑2020‑15174 via nodeIntegration:true and a markdown XSS spawning Calculator, and VS Code 1.63 CVE‑2021‑43908 via webview CSP (‘unsafe-inline’), postMessage trust, vscode-file path rewriting, and Node APIs. Includes mitigations and a public PoC.
deep valeBOT
🌐 Web | 🦠 Malware | 🕵️ Threat Intel | 🧩 IIS
🔗 Original article: https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/
Unit 42 details “Operation Rewrite,” an SEO‑poisoning campaign by Chinese‑speaking actors (CL‑UNK‑1037) using BadIIS implants on IIS and a PHP front controller. Implants hook IIS (OnBeginRequest/OnSendResponse), XOR‑decrypt config, serve C2 SEO pages to crawlers, and proxy/redirect real users. Variants include an ASP.NET Page_Load gateway, a managed C# IIS module (404 hijacking + crawler‑only injection), and a PHP sitemap/content‑rewriter. Extensive IoCs and overlaps with Group 9 are provided.
deep valeBOT
🌐 Web | 🛠️ Tool | 💣 RCE
🔗 Original article: https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways.html
Shows how to stealthily load arbitrary Chromium extensions on Windows by editing Preferences/Secure Preferences and forging HMACs using a seed from resources.pak. Covers extension ID derivation, seed extraction (file 146), MAC formulas for settings and developer_mode (≥134), policy bypasses (ID spoofing, stomping, HKCU edits), and noisy CLI fallback (≥137). High impact: full in‑browser code execution and persistence.
deep valeBOT
🛠️ Tool | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://androidoffsec.withgoogle.com/posts/binder-fuzzing/
Guide to fuzz Android’s Binder using LKL with a stateful, multi‑client grammar and a randomized scheduler to simulate thread interleavings. It explains why syzkaller’s high coverage can still miss Binder logic/race bugs, details the CVE‑2020‑0423 race sequence, and provides a public fuzzer, plus a CVE‑2023‑20938 seed and reproduction steps.
🛡️ CVE | 📱 Android | 🧪 SQLi | 🎁 PoC
🔗 Original article: https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/
CVE-2025-10184 lets any app on OxygenOS 12–15 OnePlus devices bypass READ_SMS by abusing OEM-added Telephony providers with no writePermission and an injectable update() WHERE. Via blind SQLi (unicode(substr()) + BETWEEN) and insert()-seeded rows, attackers infer-read the sms table (e.g., MFA codes). A permissionless PoC app targets content://service-number/service_number and related URIs.
Vulnerability overview | CVE | Mitigation | Enterprise software | High-level
🔗 Original article: https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
Reported chain: weak identity provisioning control plus unsafe file upload handling could enable full compromise. Details redacted.
CVE | PoC | Linux | USB | HID
🔗 Original article: https://github.com/xairy/kernel-exploits/tree/master/CVE-2025-38494
High-level overview of two Linux HID issues reportedly enabling out-of-bounds reads and information disclosure; focus on patch status and defensive measures.
deep valeBOT
🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.thezdi.com/blog/2025/9/23/cve-2025-23298-getting-remote-code-execution-in-nvidia-merlin
CVE-2025-23298 in NVIDIA Merlin Transformers4Rec is an unsafe pickle deserialization bug in the checkpoint loader. A crafted checkpoint embeds an object whose reduce executes commands (e.g., via os.system) when torch.load() runs, yielding RCE—often as root in ML pipelines. NVIDIA patched by replacing raw torch.load with an allow-listed loader and added validation (PR #802). Use weights_only, safer formats (Safetensors/ONNX), signing, and sandboxed loads. 🎁 PoC and pre/post-patch gists are included.
🌐 Web | 🤖 AI | 🎣 Phishing | 🎁 PoC
🔗 Original article: https://redcanary.com/blog/threat-detection/ai-agent-mode/
Red Canary shows how “agent mode” can be socially engineered to run an AI‑in‑the‑Middle phish. A shared prompt drives the agent’s hosted browser to an attacker site, then the UX’s “Take over Browser” gets the user to enter credentials. Logins appear from Cloudflare IPs with UA Chrome/138 on macOS 10.15.7. Identity‑centric detections and restricting agent mode are recommended.
deep valeBOT
🛠️ Tool | 🌐 Web | 💰 Bug Bounty | 💉 XSS
🔗 Original article: https://portswigger.net/blog/welcome-to-ai-pentesting-add-on-demand-ai-assistance-directly-to-your-workflow-with-new-agentic-burp-ai-capabilities
PortSwigger’s Burp AI embeds an agentic assistant directly in Burp Repeater. Using natural‑language prompts, it surfaces leads, automates stored XSS/CSRF checks, generates filter‑bypass payloads (XSS/SQLi/template injection), and turns PoCs into impactful demos—while you stay in control. Includes AI recorded logins, data‑handling assurances, and 10k free credits.
🛠️ Tool | 🧪 Static Analysis | 💻 C/C++ | 🧵 Taint Tracking
🔗 Original article: https://blog.trailofbits.com/2025/09/25/taming-2500-compiler-warnings-with-codeql-an-openvpn2-case-study/
Trail of Bits built a CodeQL pipeline to triage implicit integer conversions in C. On OpenVPN2, it cut ~2.5k compiler warnings to 20 tainted, high-priority cases using alteration-type filtering, constant checks, (IR) range analysis, domain models, and taint tracking. Code, query snippets, and function models are provided; no exploitable issues were found.
🌐 Web | 📱 Android | 🧪 Malware | 🕵️ Threat Intel
🔗 Original article: https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/
Since Aug 2024, BankBot variants target Indonesian/Vietnamese Android users via fake Play pages. Key tradecraft: Socket.IO/WebSocket “APK smuggling” streams chunks, assembles an APK Blob client-side, and auto-triggers download—evading static-URL and extension filters. Includes concrete IOCs (domains, hashes, C2s), open directory staging, and infra patterns (Alibaba/Gname/share-dns, nginx, R10/R11/WE1).
🛠️ Tool | 🛡️ CVE | 🎁 PoC | 🔓 LPE
🔗 Original article: https://github.com/Skorpion96/unisoc-su/tree/main
Exploit chain and scripts to pivot from EngineerMode’s system shell (CVE-2025-31710) to root on Unisoc devices by racing cmd_services: enable via setprop, then immediately connect with cli-pie to the abstract socket cmd_skt. Relay a local shell with nc and source unisoc-su.sh to complete the root pivot. Works up to Android 13; Android 14/15 usually blocked unless OEM exceptions or tool_service. Includes GhostRoot RAM channel.
🛠️ Tool
🔗 Original article: https://www.synacktiv.com/publications/appledbrs-un-outil-daide-a-la-recherche-sur-plateformes-apple.html
appledb_rs is a Rust tool that mounts IPSWs, parses Mach‑O LC_CODE_SIGNATURE → CS_SuperBlob → CSMAGIC_EMBEDDED_ENTITLEMENTS, extracts entitlements and framework imports, and stores them in a normalized DB (SQLite/PostgreSQL) browsable via a React UI and OpenAPI API. It details sea_orm DB‑agnostic design, a SQLite AUTOINCREMENT/i32→i64 workaround, example SQL, ipsw commands, and research use cases (search, diff, dependency mapping).
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🧩 Deserialization
🔗 Original article: https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
CVE-2025-10035 is a critical flaw in GoAnywhere MFT’s License Servlet. A logic bug lets unauthenticated users generate a session token via an error handler, then reach a deserialization sink that unwraps a SignedObject. RCE would require a valid signature over a malicious inner object; researchers couldn’t bypass verification. Patch 7.8.4/7.6.3 hardens deserialization and removes the unauthenticated token path.
🎲 PRNG | 🎁 PoC | 🛠️ Tool | 🔍 Reverse Engineering
🔗 Original article: https://blog.doyensec.com/2025/09/25/yet-another-random-story.html
VBScript’s PRNG seeds from the system clock at 64 Hz and narrows to Single, collapsing entropy. No-arg Randomize and Randomize <seed> use different seed paths, so you must craft a Double whose high dword matches Timer()’s float32 to emulate implicit seeding. A VBS+Python PoC brute-forces 0.015625 s steps to recover a 32-char token.
🌐 Web | 🛡️ CVE | 🎁 PoC | 🕵️ InfoLeak
🔗 Original article: https://exploit.az/posts/wor/
Abuses MySQL FTS Boolean operators to keep a trailing wildcard inside quoted MATCH…AGAINST(), bypassing MyBB’s keyword cleaning via a two‑token trick. A redirect‑vs‑error oracle then reveals whether titles start with a probed prefix, leaking deleted/hidden thread names (CVE‑2025‑48941). Includes Go ReDoS demo and a Go fuzzer PoC.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
watchTowr reports in-the-wild exploitation of Fortra GoAnywhere MFT CVE-2025-10035 starting 2025-09-10. A pre-auth deserialization bug enables RCE, creation of a backdoor admin (admin-go), provisioning of a web user, and upload/exec of payloads (zato_be.exe, SimpleHelp jwunst.exe). IoCs include two SHA-256 hashes, actor IP 155.2.190.197, and whoami/groups output redirected to C:\Windows\test.txt.
🔓 Infoleak | 🍎 Apple | 🧬 Serialization | 🧠 Technique
🔗 Original article: https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html
Project Zero shows a deterministic remote pointer leak via NSKeyedUnarchiver→NSKeyedArchiver. By mixing crafted colliding keys with a pointer‑hashed singleton (e.g., NSNull) in NSDictionary, the re‑serialized output order reveals bucket placement and leaks dyld shared cache address bits, enabling ASLR bypass without timing or memory‑safety bugs. Fixed by Apple on 2025‑03‑31.
💣 RCE | 🛠️ Tool | 🎁 PoC | 🏢 Active Directory
🔗 Original article: https://0xdf.gitlab.io/2025/09/26/htb-babytwo.html
Compromise a Windows AD domain by poisoning a writable SYSVOL logon script to gain a reverse shell as a domain user, then abuse AD ACLs (WriteOwner/WriteDacl) to seize the GPOADM service account and pave the way for GPO-based admin. Steps include SMB/LDAP recon with NetExec, .lnk analysis (LnkParse3), BloodHound CE graphing, and PowerView to modify ACLs and reset passwords. High risk: broad RCE via logon scripts and domain principal takeover.
deep valeBOT
🛠️ Tool | 💣 RCE
🔗 Original article: https://github.com/trustedsec/Titanis/
Titanis is a .NET 8, cross‑platform C# toolkit implementing SMB2, MSRPC (SCMR, WMI, SAMR, LSA, etc.), and NTLM/Kerberos (ccache/.kirbi/keytab). It provides libraries and CLI tools for enumeration and remote code execution via legitimate Windows protocols, with logging and planned AD/DCSync/TSCH/SOCKS features.
deep valeBOT
🧩 AD | 🧪 DPAPI | 🛠️ Tool | 💣 RCE
🔗 Original article: https://0xdf.gitlab.io/2025/09/27/htb-puppy.html
HTB Puppy demonstrates an AD attack chain: abuse GenericWrite to join Developers and read a DEV share; crack a KeePassXC v4 (Argon2) vault with John; spray recovered passwords to pivot; use GenericAll to reset and enable a disabled user for WinRM; mine a site backup for LDAP bind creds; then decrypt DPAPI Credential Manager secrets to obtain an admin account and RCE on the DC.
deep valeBOT
🌐 Web | 💰 Bug Bounty | 💉 XSS | 🎁 PoC
🔗 Original article: https://marxchryz.medium.com/escalating-an-html-injection-into-1-click-account-takeover-3ba9dbf0ce5f
Chained an SSO returnUrl allow‑list with an SSRF‑powered HTML injection on a whitelisted subdomain. Despite a strict CSP (default‑src 'none'), the attacker used meta refresh plus meta referrer (unsafe‑url) to force a cross‑origin redirect that leaked the full SSO URL, including ?token=JWT, via the Referer header. Includes a Node/Express PoC and a 1‑click payload.
deep valeBOT
🌐 Web | 💰 Bug Bounty | 💉 XSS | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/ultimate-guide-csrf-vulnerabilities
A practical CSRF exploitation guide with ready PoCs. Covers POST and GET CSRF, stored CSRF via embedded images and session‑agnostic tokens, and a login‑CSRF→stored‑XSS chain. Shows referrer suppression and method‑override (_method) bypasses, plus STP, Double Submit Cookies, SameSite, and user‑interaction mitigations. Includes Burp‑generated PoCs and learning resources.
🌐 Web | 🛠️ Tool | 🎁 PoC | 🛡️ CVE
🔗 Original article: https://www.yeswehack.com/learn-bug-bounty/ultimate-guide-race-condition-vulnerabilities
Guide to exploiting web race conditions with HTTP/1.1 last-byte sync and HTTP/2 single-packet techniques. Walkthrough of PortSwigger’s coupon multi-apply lab using Burp Turbo Intruder (engine, gate/openGate, negative timestamps), with code and links. Lists real CVEs and provides concrete mitigations (locks, transactions, idempotency, atomic ops, rate limits, testing).
🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-44
Ruby app logs a user-supplied script name, then loads a file built from it using Pathname.cleanpath. By injecting a newline-led Ruby payload and appending “#://../../../../logs/error.log”, the raw payload is logged while cleanpath resolves to ../logs/error.log, causing the app to load and execute the injected log line. The payload closes a dangling bracket (][0]=1) and runs arbitrary code (e.g., reading /tmp/flag*.txt). Impact: RCE. Mitigate by removing user-controlled load paths and enforcing allowlists.
deep valeBOT
🌐 Web | 👾 Malware | 🕵️ APT | 💣 RCE
🔗 Original article: https://unit42.paloaltonetworks.com/phantom-taurus/
Unit 42 details Phantom Taurus, a Chinese‑nexus APT, and NET‑STAR: a .NET IIS malware suite enabling in‑memory RCE, encrypted C2, DB access, and timestomping. A WMI‑delivered mssq.bat shifts collection from email to SQL databases. IIServerCore runs inside w3wp.exe, uses AES‑ECB + Gzip + Base64, cookie sessions, and rich commands. AssemblyExecuter v2 adds AMSI/ETW bypass. Full IoCs and hunt tips provided.
deep valeBOT
🌐 Web | 🛡️ CVE | 🎁 PoC | 💰 Bug Bounty
🔗 Original article: https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate
XBOW found CVE-2025-8868: a time‑based blind SQL injection in Chef Automate’s /api/v0/compliance/profiles/search. Abuse of a default x-data-collector-token enabled access. Injecting via filters[].type with payloads like "name'||(SELECT pg_sleep(5))||'" produced pq-backed 500s and measurable delays, proving SQL execution. Impact: critical data compromise. Upgrade to 4.13.295+.
deep valeBOT
📡 IoT | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/
Unauthenticated path traversal on LG webOS TVs (port 18888) leaks LevelDB pairing tokens from /var/db/main. Using the stolen token, an attacker bypasses secondscreen pairing, enables Dev Mode, downloads/installs a malicious IPK, and launches it for RCE. A PoC also abuses /tmp/remotelogger for likely root. Full device takeover is achievable.
🛡️ CVE | ⬆️ PrivEsc | 🐧 Linux | 🎁 PoC
🔗 Original article: https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
CVE-2025-41244: VMware service discovery runs version checks on binaries matched by overly broad regexes and executes attacker-controlled paths (e.g., /tmp/httpd) found in listening processes. A Go PoC opens a listener, then gets invoked as “-v” by the privileged collector to spawn /bin/sh -i as root. Affects open‑vm‑tools (credential‑less) and Aria SDMP (credential‑based). Detect odd children of vmtoolsd/get-versions.sh and SDMP artifacts in /tmp. Patch released 2025‑09‑29.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://patchstack.com/articles/q3-2025s-most-exploited-wordpress-vulnerabilities-and-how-patchstacks-rapidmitigate-blocked-them/
Q3 2025 saw active exploitation of four critical WordPress plugin bugs (CVE-2025-27007, -1562, -2011, -2294). Flaws include missing/weak auth on REST routes, unauth plugin installs, SQLi via an unsanitized search parameter, and LFI via a template parameter. Patchstack RapidMitigate shipped targeted rules that blocked hundreds to thousands of attempts while admins patched.
📡 IoT | 🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
Unit 42 analyzes three unauthenticated bugs in TOTOLINK X6000R V9.4.0cu.1360_B20241207: a hyphen-driven argument injection (CVE-2025-52905), command injection in setEasyMeshAgentCfg’s agentName (CVE-2025-52906), and a sanitization bypass in setWizardCfg enabling arbitrary file writes (CVE-2025-52907). All flow through /cgi-bin/cstecgi.cgi topicurl routing. Update to V9.4.0cu.1498_B20250826.
🔬 Malware Analysis | 🥷 Evasion | 🧩 Obfuscation | 🛠️ Tool
🔗 Original article: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/
Deep dive into Rhadamanthys 0.9.2 internals: XS1_B/XS2_B header churn, multilayer config (custom Base64 → ChaCha20 → XOR → LZO), checksum-addressed Stage‑2 with LFSR XOR, expanded anti‑sandbox (UUIDv1 MAC + WMI HWID), PNG‑based Stage‑3 delivery, RC4 string crypto, configurable injection targets, WebSocket C2 with NTP prechecks and cosmetic domain churn, plus new Ledger Live Lua stealer and browser fingerprinting. Updated tools and IOCs included.
🌐 Web | 🛡️ CVE | 🎁 PoC | 🔐 AuthZ
🔗 Original article: https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study
CVE-2025-59305: Langfuse’s tRPC background-migration endpoints used AuthN-only guarded procedures, letting any logged-in user list and restart migrations. Attackers can induce data corruption (race conditions) or DoS (resource exhaustion). PoC curl calls to backgroundMigrations.all and .retry are provided. Fixed on Sep 9, 2025 by adding admin-only authorization; disclosed Sep 15, 2025.
📱 Android | 🧩 RAT | 💳 Banking Trojan | 📊 IoC
🔗 Original article: https://www.threatfabric.com/blogs/datzbro-rat-hiding-behind-senior-travel-scams
ThreatFabric (Sep 30, 2025) details Datzbro, an Android device‑takeover RAT spread via fake “senior travel” Facebook groups. The APK (sometimes via Zombinder) abuses Accessibility Services for remote control, black overlays, and a “schematic” UI mode, plus camera/mic, SMS/contacts/app/file ops. Hardcoded filters target banking/crypto flows; fake activities harvest Alipay/WeChat/device PINs. A leaked Chinese desktop C2/builder indicates broad actor adoption. IoCs and full bot command set are provided.
📱 Android | 🏦 Banking | 🧪 Malware | 🔬 Analysis
🔗 Original article: https://www.cleafy.com/cleafy-labs/klopatra-exposing-a-new-android-banking-trojan-operation-with-roots-in-turkey
Cleafy exposes Klopatra, a 2025 Android banking trojan using Virbox-protected native code, Accessibility abuse, HVNC black-screen control, and dynamic HTML overlays to steal credentials and perform real-time fraud. Two botnets (>3,000 devices) target Spain and Italy. Turkish-language artifacts and operator notes tie it to a Turkish-speaking group. Infrastructure sits behind Cloudflare with origin IPs recovered via OPSEC mistakes.
📡 IoT | 🌐 Web | 🛡️ CVE
🔗 Original article: https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
Attackers abuse Milesight cellular routers’ /cgi JSON API—often without auth—to read/send SMS for smishing. Sekoia.io honeypots (Jun–Jul 2025) saw Belgium‑focused CSAM/eBox lures; mass waves hit Sweden (42,044) and Italy (31,353). Infra clusters on Podaon SIA (AS210895) and jnsi/estrk (AS211860). Mobile‑gated kits use detect_device.js; GroozaV2 artefacts and GroozaBot aid hunting.
🌐 Web | 🛡️ CVE | 💣 RCE | 🎁 PoC
🔗 Original article: https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/
Four pre-auth flaws in TRUfusion Enterprise allow: arbitrary file read with Base64 exfil (CVE‑2025‑27222), global auth bypass by forging IDEA‑encrypted cookies with a hard‑coded key (CVE‑2025‑27223), arbitrary file write to webroot enabling JSP RCE (CVE‑2025‑27224), and unauth PII disclosure (CVE‑2025‑27225). Includes a Java PoC, exact endpoints/params, and exploit chains.
deep valeBOT
Tool | Binary Analysis | Research
🔗 Original article: https://github.com/rasta-mouse/GadgetHunter
High-level overview of a Windows binary-scanning research tool; operational details are redacted to prevent misuse.
📶 Wi‑Fi | 🛡️ CVE | 🔏 Privacy | 🎁 PoC
🔗 Original article: https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/
FreeWifi_secure used EAP‑SIM without identity protection, causing phones to send IMSIs in clear within EAP‑Response/Identity. A passive sniffer (airmon‑ng + Wireshark/Kismet) can capture strings like IMSI@wlan.mnc015.mcc208.3gppnetwork.org, enabling tracking and telecom‑layer abuse. Vendor disabled the SSID on legacy Freeboxes on Oct 1, 2025. Root cause: no pseudonym/TLS tunnel for EAP identity.
🌐 Web | 🎯 Clickjacking | 🧩 Browser Extensions | 🎁 PoC
🔗 Original article: https://marektoth.com/blog/dom-based-extension-clickjacking/#browser-extension-clickjacking
Research shows a new DOM-based extension clickjacking technique that hides password-manager autofill UI (via opacity/overlays) and redirects a user’s click to select items. One click can leak credit cards/PII; a few clicks via XSS on related subdomains can steal credentials and TOTP. Includes code snippets, PoCs, affected versions, and mitigations.
deep valeBOT
📡 IoT | 🛡️ CVE | 🔓 AuthZ Bypass | 🎁 PoC
🔗 Original article: https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
Bishop Fox demonstrates that YoLink hubs and the mobile app use plaintext MQTT on TCP/8001 and lack cross‑tenant MQTT ACLs. By deriving a per‑device config URL via MD5(deviceId||static_key), attackers harvest MQTT creds, subscribe to admin topics to steal Wi‑Fi passwords, and publish to victims’ control topics (e.g., unlock smart locks). Includes UART log capture, Ghidra findings, MQTT topic formats, and PoC commands.
📡 IoT | 🛡️ CVE | 🎁 PoC | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/yosmart-yolink-hub-version-0382
Bishop Fox found four issues in YoLink Hub v0382: cross‑account device control via MQTT (CVE‑2025‑59449), API‑based credential harvest using MD5(deviceId+secret) (CVE‑2025‑59452), cleartext MQTT exposing creds/commands (CVE‑2025‑59448), and week‑long session persistence (CVE‑2025‑59451). Repro steps include UART/Wi‑Fi MAC discovery, API hash calc, and MQTT pub/sub to unlock locks and intercept Wi‑Fi passwords. No fixes.
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/10/04/htb-certificate.html
Two ZIP-parser tricks (null-byte name inside ZIP and stacked ZIPs) bypass an allowlist to drop a PHP webshell for RCE. From RCE, leak DB creds in db.php, dump bcrypt hashes, crack “sara.b:Blink182,” and WinRM in. A workstation PCAP yields Kerberos roasting for the next user. Then AD CS ESC plus SeManageVolumePrivilege enables CA key exfil and a Golden Certificate, impersonating Administrator for full domain compromise.
deep valeBOT
🛡️ CVE | 💣 RCE | 🎁 PoC | 📱 iOS
🔗 Original article: https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201
Two iOS 18.x bugs form a zero‑click iMessage/SMS chain: CVE‑2025‑31200 (CoreAudio/AudioConverterService heap corruption) and CVE‑2025‑31201 (PAC bypass via an RPAC path). A malicious .amr sample demonstrates the trigger. The chain claims to bypass Blastdoor, escalate to kernel, and enable keychain/CryptoTokenKit abuse. Fixed in iOS 18.4.1 (Apr 16, 2025).
🌐 Web | 🎣 Phishing | 🛠️ Tool | 🧪 Malware
🔗 Original article: https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/
Unit 42 details a phishing-kit builder, the IUAM ClickFix Generator, that crafts fake CDN verification pages to copy hidden OS-specific commands to victims’ clipboards and coerce console execution. Campaigns showed Windows chains delivering DeerStealer via batch→MSI and macOS Base64 bash installing Odyssey (often with nohup). Pages share HTML/JS structure, use OS detection, homograph domains, and can be injected into compromised sites. Extensive hashes, C2 IPs, and domains are provided.
deep valeBOT
🛠️ Tool | 📡 IoT | 🎁 PoC | 💣 RCE
🔗 Original article: https://github.com/R0rt1z2/fenrir
Fenrir is a PoC that patches MediaTek’s bl2_ext to always bypass verification when seccfg is unlocked, yielding EL3 code execution and a collapsed secure boot chain. It supports Nothing Phone (2a) and partially CMF Phone 1, adds fastboot commands, lock‑state spoofing, and offers detection via expdb logs showing img_auth_required=0.
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-crash-in-autodesk-revit-rfa-file-parsing
CVE‑2025‑5037: A type confusion in Revit’s RFA deserializer lets an attacker deserialize AString (idx 0x1F) so the destructor loop executes an attacker‑chosen gadget. On Win10 a “monster gadget” pivots the stack via mov esp,eax; on Win11 two loop‑executed gadgets perform a 64‑bit pivot. A non‑ASLR DLL supplies gadgets and imports to resolve ucrtbase!system for command exec. RFA’s Global\Latest is GZIP+ECC; ECC must be recomputed. CompoundFileTool and WinDBG/IDA/TTD support the exploit.
CVE | iOS | Security Advisory | Patch
🔗 Original article: https://8ksec.io/patch-diffing-ios-kernel/
High-level summary of CVE-2024-23265 and Apple’s fix; offensive details omitted.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/10/09/htb-watcher.html
Exploit Zabbix CVE‑2024‑22120 to time‑bruteforce the session_key and Admin session_id, forge an admin cookie, and execute Scripts for RCE as user zabbix. Dump DB creds, pivot via SSH port‑forward to local TeamCity, harvest a user’s password by patching Zabbix login, reuse it to log into TeamCity (running as root) and execute a build step to gain root.
deep valeBOT
🌐 Web | ☁️ Cloud | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf
Abuses Azure Front Door WAF Custom Rules and diagnostics to log POST credentials. Create a log-only rule matching POST params (e.g., username/password), enable AFD WAF diagnostics to Log Analytics, then query AzureDiagnostics (Category=FrontDoorWebApplicationFirewallLog) and read details_matches_s to retrieve cleartext creds. Works on AFD WAF; Application Gateway WAF custom rules don’t log matched payloads.
deep valeBOT
🌐 Web | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/
Unit 42 shows how indirect prompt injection can poison an LLM agent’s long‑term memory in Amazon Bedrock Agents. Malicious webpage content enters the session‑summarization prompt via the tool’s result field, gets stored as memory, then reinjected as system instructions in later sessions to silently exfiltrate data with scrape_url. Defense: Bedrock Guardrails, pre‑processing/Lambda parsing, URL allowlists, and detailed logging/trace.
deep valeBOT
📱 Android | 🐞 Malware | 📡 C2 | 🎣 Phishing
🔗 Original article: https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia
ClayRat is Android spyware spread via Telegram and phishing sites impersonating popular apps. It uses session‑based droppers with encrypted payloads in /assets, abuses the default SMS handler role for broad message control, and communicates via HTTP (base64 with marker “apezdolskynet”) or AES‑GCM. Commands cover SMS/call/notification exfiltration, camera capture, mass SMS, and WebSocket proxying. Broadcast Receivers provide event‑driven control. IOCs are published by Zimperium.
deep valeBOT
🛠️ Tool | 🌐 Web
🔗 Original article: https://bishopfox.com/blog/burp-variables-burp-suite-extension
Burp Variables adds Postman-like variables to Burp Suite. Define project-level pairs and reference them as ((name)) anywhere in requests; values are auto-replaced on send. Scope-aware proxy replacement prevents secret leaks. Install from the BApp Store or GitHub, verify results in Logger, and use import/export to migrate data between projects.
deep valeBOT
Active Directory | Defensive Security | Blue Team | Identity and Access Management
🔗 Original article: https://0xdf.gitlab.io/2025/10/11/htb-tombwatcher.html
Defensive overview of AD attack-path risks and mitigations; no offensive steps included.
deep valeBOT
🛠️ Tool | 🎁 PoC
🔗 Original article: https://github.com/rasta-mouse/Crystal-Kit
Crystal Kit is a Cobalt Strike evasion experiment that replaces Sleepmask/BeaconGate with Crystal Palace PIC/O executed via prepend‑style UDRLs. The repo provides an Aggressor Script, a Java client extension, and UDRLs for staging/post‑ex. README notes planned hardening (no RWX, GMA/GPA patching, AMSI/ETW bypass, allocation tracking, cleanup). It shifts detection surfaces from stock CS to UDRL/PIC‑driven behaviors.
🛠️ Tool | 🎁 PoC
🔗 Original article: https://rastamouse.me/crystal-kit/
Crystal Kit is a PoC toolkit that replaces Sleepmask/BeaconGate by hooking a module’s IAT to route API calls into PIC that can mask memory and spoof call stacks. It adds evasion to unsupported APIs like CreateProcessA, works with BOFs and post-ex DLLs, and includes a reflective loader, a Draugr-based PIC stub, a PICO IAT hooker, and an Aggressor script.
deep valeBOT
🛡️ CVE | 📱 Android | 🕵️ Side-Channel | 🔒 Privacy
🔗 Original article: https://www.pixnapping.com/
Pixnapping (CVE-2025-48561) lets a zero‑permission Android app exfiltrate on‑screen secrets from other apps/websites by combining intents, a semi‑transparent overlay with window blur, and GPU.zip timing via VSync. Works on Pixel 6–9 and Galaxy S25 (Android 13–16 up to BP3A.250905.014). Google’s initial blur‑limit patch is bypassable; a further fix is slated for Dec 2025.
🛠️ Tool | 📱 Android | 🔬 Reverse Engineering | 📦 APK
🔗 Original article: https://github.com/AndnixSH/APKToolGUI
Windows GUI that wraps Apktool, Baksmali/Smali, APKEditor.jar, signapk, and zipalign to streamline Android APK reverse engineering. Supports decompile/rebuild, split‑APK merge, signing, zipalign, framework cleanup (removes DUMMY_APKTOOL), ADB helpers, and high‑DPI/long‑path. Requires Java 8/17 and .NET 4.8. Update by replacing jars in Resources; reset by deleting config.xml. Includes translation via .resx.
🛠️ Tool | 🌐 Web
🔗 Original article: https://www.pentestpartners.com/security-blog/compiling-static-nmap-binary-for-jobs-in-restricted-environments/
How-to for building a trustworthy, statically linked Nmap for restricted Linux environments. Uses Docker (Ubuntu 22.04) to compile OpenSSL 1.1.1w and PCRE2 10.43 statically, then Nmap 7.98 with included libpcap/dnet. Packages the binary with all NSE data. Includes a full one-liner, verification step, and links to sources and a helper tool.
🛠️ Tool | 🌐 Web | 💰 Bug Bounty
🔗 Original article: https://github.com/MrTurvey/flareprox
FlareProx deploys Cloudflare Workers as HTTP pass-through proxies for IP masking and simple rotation. Configure Cloudflare API token/account, create endpoints, then send requests via ?url= or X-Target-URL. Supports all HTTP methods, cURL usage, and a Python API. Useful for authorized testing, bug bounties, and research; free tier ~100k requests/day.
deep valeBOT
📱 Android | 🪲 Malware | ⛏️ Cryptominer | 🛰️ C2
🔗 Original article: https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/
GhostBat RAT uses RTO/mParivahan‑themed APKs to deploy a multi‑stage Android dropper (XOR → DexClassLoader → AES key from SHA‑1(filename)[0:16]) or a native .so packer (JNI runtime resolution). Final app phishes UPI, exfiltrates/forwards SMS/OTP, registers via Telegram bots, and can mine crypto. Distribution uses GitHub and compromised WordPress via smishing shortlinks.
📧 Phishing | 🛠️ Tool | 🕵️ Evasion | 🦠 Malware
🔗 Original article: https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/
Unit 42 details PhantomVAI, a C# .NET loader delivered via phishing. Obfuscated JS/VBS runs Base64 PowerShell that extracts a Base64 DLL hidden in images between markers (<<sudo_png>>…<<sudo_odt>>). The loader performs VM checks (VMDetector-based), sets persistence (scheduled tasks, wscript.exe, Run key), retrieves the payload and process‑hollows into MSBuild.exe. It now delivers Katz Stealer, AsyncRAT, XWorm, FormBook and DCRat. Katz Stealer targets browsers, wallets and comms apps and aborts on CIS locales via Windows APIs.
deep valeBOT
🤖 AI | 🌐 Web | 🛠️ Tool | 🔎 Detection
🔗 Original article: https://redcanary.com/blog/threat-detection/ai-cli-tools/
Adversaries misuse AI CLIs (Claude Code, Gemini CLI, Warp, OpenAI Codex) to run local agentic workflows that read/write files, enumerate credentials, and call MCP tools over STDIO/HTTP. The post details concrete telemetry chains (node→uv→python), log locations (.gemini logs.json, .claude history.jsonl), and detection priorities (parent–child lineage, sensitive paths, outbound MCP). Impact: high risk of credential theft and covert automation.
deep valeBOT
🌐 Web | 🛡️ CVE | 💣 RCE | 🛠️ Tool
🔗 Original article: https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604/
CVE‑2025‑36604: Dell UnityVSA pre‑auth RCE via command injection in AccessTool.pm::getCASURL. When type="login", raw $r->uri() is concatenated into a shell command and run via Perl backticks. Triggered by AccessHandler’s unauthenticated login redirect for resolvable paths. Fixed in 5.5.1 (DSA‑2025‑281). watchTowr provides a Detection Artefact Generator.
🔐 Cryptography | 📜 Protocol | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/quantum-readiness-hybridizing-key-exchanges.html
The post shows why naïve hybrid KEM combiners (concatenate or concatenate‑then‑hash) can fail under IND‑CCA via ciphertext second pre‑images. A DH PoC exploits an order‑2 tweak with an even private key to create colliding capsules. Secure designs bind the KDF to secrets + capsules + public keys (Campagna–Petcher). The IETF Composite ML‑KEM combiner optimizes by omitting ML‑KEM capsule/pk using ML‑KEM’s proven second pre‑image resistance.
🛡️ CVE | 🐧 Linux | 💣 RCE | 🎁 PoC
🔗 Original article: https://blog.doyensec.com/2025/10/08/ksmbd-3.html
Deterministic OOB write in ksmbd’s streams_xattr lets an authenticated user overflow a 16‑page kvzalloc buffer and corrupt adjacent pages. Doyensec pre-grooms the buddy allocator, overflows kmalloc‑cg‑4k msg_msg slabs, builds a UAF, leaks heap and anon_pipe_buf_ops to bypass KASLR/SMEP/SMAP, and ROPs via pipe_buf_operations to root. PoC and full exploit provided.
🌐 Web | 🛡️ CVE | 💣 RCE | 🐘 PHP
🔗 Original article: https://patchstack.com/articles/php-object-injection-patched-in-quiz-and-survey-master-plugin-affecting-40k-sites/
Unauthenticated PHP Object Injection in Quiz and Survey Master ≤10.2.5 via admin-ajax action qmn_process_quiz. Attacker input in quiz_answer_random_ids reaches maybe_unserialize(), instantiating objects and enabling POP chains (potential RCE). Fixed in 10.2.6 by using unserialize with ['allowed_classes' => false]. CVE-2025-49401, CVSS 9.8.
🌐 Web | 💰 Bug Bounty | 🔒 Access Control
🔗 Original article: https://medium.com/@kalvik/confluence-takeover-how-a-simple-support-email-gave-me-full-wiki-access-a9ac7c27fa31
A single email to a JSM support address auto-provisioned an Atlassian account. After accepting the invite, enumerating product paths revealed Confluence at /wiki granted full read/write. Root cause: support-driven account creation in the main tenant plus Confluence spaces open to “all authenticated users.” Impact: critical data exposure and content tampering. Fix: restrict auto-provisioning and lock down Confluence permissions.
🛡️ CVE | 💣 RCE | 📱 Android | 🎮 Unity
🔗 Original article: https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/
Unity Android apps parse the Intent extra “unity” as CLI args. A hidden flag, -xrsdk-pre-init-library, makes the runtime dlopen an arbitrary path, enabling native code execution in the app’s context. Local apps can trigger this via an exported UnityPlayerActivity; remote one‑click is possible if BROWSABLE is set and attacker-controlled bytes are cached under /data. Unity patched 2019.1+.
📱 Android | 💉 XSS | 🌐 Web | 🎁 PoC
🔗 Original article: https://mobeta-fr.translate.goog/android-intent-hijacking-pentest-mobile/
The post explains Android Intent internals and shows two exploit paths: unvalidated Intent-derived input leading to WebView XSS (with full victim code) and Intent Hijacking via matching intent-filters to intercept sensitive tokens. It demonstrates resolver tracing with FLAG_DEBUG_LOG_RESOLUTION and provides a GitHub lab PoC.
deep valeBOT
🖥️ Windows | 🚫 DoS | 🖌️ GDI | 🎁 PoC
🔗 Original article: https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/
CPR found a DoS in Windows 11 24H2’s Rust‑based GDI REGION code (win32kbase_rs.sys 10.0.26100.3037). A crafted EMF+ (wide Pen + malformed Beziers) triggers a bounds‑check panic via NtGdiSelectClipPath, causing BSOD. Fuzzing with WinAFL uncovered it; a PowerShell PoC reproduces it. Microsoft fixed it in OS Build 26100.4202 (KB5058499) by adding a bounds‑hardened add_edge_new() behind a feature flag.
🖥️ Windows | 🛠️ Tool | 🔌 RPC | 📑 Registry
🔗 Original article: https://trustedsec.com/blog/theres-more-than-one-way-to-trigger-a-windows-service
Windows Service Triggers let low‑priv users start high‑priv services by meeting conditions (named pipe/RPC lookups, ETW events, GPO refresh, IP availability, device arrival, etc.). The post shows enumeration via sc.exe, registry, Win32 API, and MS‑SCMR (Titanis), details WebClient’s ETW trigger, highlights an undocumented Aggregate type, and documents a Firewall Port Event quirk that can break BFE when misconfigured.
deep valeBOT
🛠️ Tool | 📱 Android | 🧪 Frida | 🧰 Magisk
🔗 Original article: https://github.com/hakaioffsec/beerus-android
Beerus is an on-device Android pentesting toolkit (APK + Magisk module) that embeds Frida Core, enables sandbox/APK exfiltration, memory dumps, ADB over TCP/IP, device-wide proxying, system CA promotion, property tweaks, and boot-time automation. Build with Android Studio + NDK; Frida Core is compiled and bundled in APK assets. Install on a rooted device; Beerus prompts to install its Magisk module on first run.
deep valeBOT
🛡️ CVE | 🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/
Unsafe Reflection in Telerik UI for ASP.NET AJAX (CVE-2025-3600) lets unauthenticated users instantiate arbitrary public parameterless .NET types via prtype, enabling a universal DoS gadget and, in real apps, RCE by abusing insecure AssemblyResolve handlers. The post shows a Sitecore XP chain (CVE-2025-34509 + CVE-2025-3600). Affected: 2011.2.712–2025.1.218; fixed in 2025.1.416.
deep valeBOT
🌐 Web | 🧪 Reverse Engineering | 🧠 Obfuscation | 🔏 DRM
🔗 Original article: https://blog.pixelmelt.dev/kindle-web-drm/
Kindle Cloud Reader serves text as per‑request randomized SVG glyph IDs. By rasterizing glyphs with cairosvg, perceptual‑hashing them, and SSIM‑matching against Bookerly TTF (including ligatures and font variants), the author normalizes 184 alphabets and reconstructs a 920‑page EPUB. Anti‑scraping SVG micro‑moves and a 5‑page API limit are overcome via pixel‑based matching.
deep valeBOT
🛡️ CVE | 💉 XSS | 💣 RCE | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/10/18/htb-darkcorp.html
Stored XSS in Roundcube (CVE-2024-42009) is delivered via a misconfigured contact form (content=html + arbitrary recipient), enabling mailbox exfil and an admin password reset for a dev dashboard. The dashboard’s /analytics endpoint has stacked-queries SQLi, escalated to PostgreSQL superuser and OS RCE via COPY PROGRAM (CHR(67) WAF bypass) and archive_command. Full PoCs included.
🛡️ CVE | 💣 RCE | 📡 IoT | 🛠️ Tool
🔗 Original article: https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/
Pre-auth RCE in WatchGuard Fireware OS IKEv2 (CVE-2025-9242). A stack overflow in ike2_ProcessPayload_CERT copies oversized Identification data without bounds checks. Reachable via IKE_SA_AUTH after IKE_SA_INIT. Affects 11.10.2–11.12.4_Update1, 12.0–12.11.3, 2025.1. Patch 12.11.4 adds a 0x200 length check. Vendor ID base64 enables unauthenticated version fingerprinting. NX is on, but no PIE/canaries; ROP-to-mprotect is viable. Impact: root on perimeter appliance. Defensive focus provided; exploit bytes omitted.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/
OffSec details three Redis Lua CVEs. CVE-2025-49844 is a 13‑year UAF in luaY_parser exploitable by forcing GC during parsing with large scripts. CVE-2025-46817 overflows n = e − i + 1 in luaB_unpack to corrupt stack/exhaust memory. CVE-2025-46818 lets attackers modify basic-type metatables for cross-user code execution. Auth required, Lua enabled; affected if below 8.2.2/8.0.4/7.4.6/7.2.11/6.2.20. PoCs crash/corrupt memory; upgrade and harden ACL/auth.
📱 Android | 💉 XSS | 💣 RCE | 🎁 PoC
🔗 Original article: https://dphoeniixx.medium.com/practical-android-pentesting-a-case-study-on-tiktok-rce-4a82e79cc7c6
TikTok Android RCE via multi-bug chain: WebView UXSS (fragment injection) → internal deep link via ToutiaoJSBridge → URL allowlist bypass with javascript:// → intent: gadget to protected TmaTestActivity → mini‑app SDK update flow → Zip Slip to overwrite libjsc.so → native RCE on restart. Includes payloads, code, tooling, and mitigations.
deep valeBOT
📱 Android | 🌐 Web | 🎁 PoC | 🧩 JSB
🔗 Original article: https://tuxplorer.com/posts/account-takeover-via-jsb/
Android WebView JSB bug: a flawed domain gate loads a JSB-enabled activity, and the app executes inline javascript://. Attackers call xbridge.invokeMethod with handler “toBase64” to read file:///data/.../Default/Cookies, receive Base64 via the JSB callback, decode it, and hijack the session. Discovery used JADX, adb + chrome://inspect, LSPosed/Frida. PoC and full chain included.
🛡️ CVE | 📱 Android | 🎁 PoC | 📄 Data Exfiltration
🔗 Original article: https://tuxplorer.com/posts/dont-leave-me-outdated/
Android ≤13 auto-grants read access to content:// URIs when a crafted intent:// URL includes TEXT/HTML_TEXT extras. DuckDuckGo’s WebView accepts such intents, prompts once, then startActivity() launches an attacker component, which reads the app’s FileProvider-mapped PDF: “Sync Data Recovery - DuckDuckGo.pdf”. Result: 1-tap exfiltration of the recovery code (CVE-2025-48464).
deep valeBOT
📱 Android | 🔬 Reverse Engineering | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://blog.nviso.eu/2025/10/14/patching-android-arm64-library-initializers-for-easy-frida-instrumentation-and-debugging/
Turns .init_array constructors in Android ARM64 .so files into explicit callables to defeat early RASP checks. Removes INIT_ARRAY/INIT_ARRAYSZ with LIEF, adds INIT0 symbol, renames JNI_OnLoad→JNI_OnLoad0, then bootstraps ART using JNIInvocation to call INIT0 and JNI_OnLoad0 manually. Provides commands, code, and validation outputs.
deep valeBOT
🌐 Web | 🛡️ CVE | 🔑 Auth | 🎁 PoC
🔗 Original article: https://zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
better-auth’s API keys plugin let unauthenticated clients mint or modify API keys for any user by sending a body userId, which forced authRequired=false and fabricated a user object. Server-only guards were skipped, allowing attackers to set permissions and rate limits. Exploit: single POST to /api/auth/api-key/create. Fixed in 1.3.26; versions with the plugin ≤1.3.25 are vulnerable. Rotate keys, upgrade, and review logs.
deep valeBOT
💣 RCE | 🛡️ CVE | 🎁 PoC | 🌐 Web
🔗 Original article: https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/
CWE-88 argument injection in agentic AI enables one-shot RCE via “safe” tools. PoCs: go test -exec to wrap tests and run curl|bash; git show --format/--output to write a file then ripgrep --pre to execute it; and fd -x=<bin> via a facade argv bug. Harden with sandboxing, strict arg separation ("--"), shell-off exec, narrow allowlists, logging, fuzzing, and agent-specific guardrails.
Threat Intel | Phishing | Cloud | Microsoft 365 | Persistence
🔗 Original article: https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/
A 2025 Unit 42 report details a Morocco-based campaign abusing Microsoft 365 identity to steal gift cards, with long-lived tenant persistence and MITRE-mapped detections; impact assessed as high.
deep valeBOT
🌐 Web | 🎁 PoC | 🔑 Privilege Escalation | 🛡️ Access Control
🔗 Original article: https://ian.sh/fia
A mass assignment flaw in FIA’s Driver Categorisation portal allowed any user to self-assign the ADMIN role by including a roles array in PUT /api/users/{id}. After reauth, an admin dashboard appeared, exposing driver PII (e.g., passports, resumes) and password hashes and enabling full administrative actions. Critical vertical privilege escalation; reproducible with the provided HTTP JSON PoC.
deep valeBOT
🌐 Web | 🦠 Malware | 🎭 Social Engineering | 📺 YouTube
🔗 Original article: https://research.checkpoint.com/2025/youtube-ghost-network/
CPR exposes a role-based “YouTube Ghost Network” abusing YouTube videos, comments, and Community posts to deliver passworded archives that install loaders and infostealers. Actors use shorteners, Google-hosted phishing pages, large/passworded archives, redundant mirrors, and 3–4 day payload/C2 rotations. Two campaigns show Rhadamanthys (via HijackLoader in one case), with full IOCs and MSI CustomAction details.
deep valeBOT
🛠️ Tool | 📱 Mobile | 🎁 PoC
🔗 Original article: https://pit.bearblog.dev/modding-and-distributing-mobile-apps-with-frida/
Step-by-step guide to build a Frida TypeScript agent, bundle the Java bridge (Frida 17+), test via USB, and distribute by embedding Frida Gadget with Objection. It injects a static <clinit> calling System.loadLibrary("frida-gadget"), adds gadget/config/script .so files, rebuilds, zipaligns, and signs the APK. Includes diffs, logs, and split-APK handling.
deep valeBOT
🌐 Web | 🤖 AI | 📝 Prompt Injection | 🔎 OCR
🔗 Original article: https://brave.com/blog/unseeable-prompt-injections/
Brave shows two agentic-browser prompt-injection paths: (1) Perplexity Comet: hidden text in images survives OCR from screenshots and reaches the LLM as trusted input; (2) Fellou: simply navigating to a site includes visible page text in the prompt, enabling command injection. Both can trigger cross-origin actions with user credentials, undermining SOP.
deep valeBOT
🛠️ Tool | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/
Unit 42 details how AzureHound (BloodHound’s Azure/Entra collector) enumerates identities and resources via Graph and ARM APIs from outside a tenant. v2.6.0 exposes rich list targets (users, roles, groups, storage, apps, VMs). ARM GET/list calls aren’t logged in Activity/Resource logs; only Graph preflights (UA: azurehound/v2.6.0) may appear. The post provides exact commands, API endpoints, logging gaps, XQL hunts, and mitigations: phishing‑resistant MFA, PIM/PAM, Conditional Access, Token Protection, restricted app registration, and enabling Graph Activity Logs.
deep valeBOT
🌐 Web | 💣 RCE | 🎁 PoC
🔗 Original article: https://blog.gitguardian.com/breaking-mcp-server-hosting/
A path traversal in Smithery’s dockerBuildPath let attackers set the build context to the builder’s $HOME and exfiltrate ~/.docker/config.json. The leaked, overprivileged Fly.io token worked against the Machines API, enabling root-level exec across ~3,000 hosted MCP servers and secret theft via tcpdump. Prompt-injection risks followed. Patched June 15, 2025; no evidence of exploitation.
deep valeBOT
🌐 Web | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://0xdf.gitlab.io/2025/10/25/htb-artificial.html
Authenticated .h5 model uploads let a malicious Keras Lambda execute OS commands on load, yielding RCE as app. Loot the Flask SQLite DB, crack MD5 to pivot to user “gael.” Discover Backrest on 127.0.0.1:9898, recover its admin bcrypt from a group-readable backup, crack it, then get root by: backing up /root and downloading id_rsa, abusing Plan Hooks to drop a SUID bash, or using the privileged Run Command.
deep valeBOT
🛠️ Tool | 🌐 Web
🔗 Original article: https://www.adversis.io/blogs/pentesting-next-js-server-actions
Burp extension that maps Next.js Server Action hashes in the Next-Action header to original function names by scanning minified bundles for createServerReference() and using source maps. It tracks coverage by function name across builds, auto-generates Repeater requests by swapping hashes, and prioritizes sensitive actions when productionBrowserSourceMaps is enabled.
deep valeBOT
🌐 Web | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://samcurry.net/hacking-clubwpt-gold
Leak-driven recon exposed .env and .git on a dev-linked domain, revealing admin usernames and full source. Weak creds worked on staging. The prod admin was behind Cloudflare, but its origin IP was found via Censys. A critical unauthenticated /admin/otp/bind let attackers overwrite any user’s TOTP secret, bypass 2FA, and access real PII/KYC and financial data. Fixed after disclosure.
deep valeBOT
🛡️ CVE | 🤖 Android | ⌚ Wear OS | 🎁 PoC
🔗 Original article: https://towerofhanoi.it/writeups/cve-2025-12080/
CVE-2025-12080: Google Messages on Wear OS auto-sent messages for implicit ACTION_SENDTO intents with sms/smsto/mms/mmsto URIs—no UI prompt and no SEND_SMS permission. Any installed app (or other intent launcher) could silently send messages. A Kotlin PoC shows a one-call startActivity() exploit. Tested on Pixel Watch 3 (BP1A.250305.019.w3) with Messages messages_android_2025_0225_RC03.wear_dynamic. Fix shipped in May 2025.
🛡️ CVE | 📱 Android | 💰 Bug Bounty | 🎁 PoC
🔗 Original article: https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080
CVE-2025-12080: Google Messages for Wear OS auto-sends on ACTION_SENDTO with sms/smsto/mms/mmsto URIs. Any app can silently send messages without SEND_SMS or UI. PoC and tested environment provided; fix shipped May 2025.
📡 IoT | 💣 RCE | 💰 Bug Bounty
🔗 Original article: https://haxx.in/posts/2025-09-23-canon-ttf/
A malicious XPS print job coerces Canon ImageCLASS into loading attacker TTF bytecode. Canon’s TrueType VM mishandles CINDEX (OOB read) and the DELTAP handler (unchecked relative stack pivot). Using 26.6 MUL tricks to assemble 32‑bit values and WS/RS storage to write with minimal side effects, the chain yields an arbitrary write and PC control, i.e., RCE.
deep valeBOT
🛡️ CVE | 💣 RCE | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/publications/paint-it-blue-attacking-the-bluetooth-stack.html
CVE-2023-40129 is an integer-underflow in Android Fluoride’s GATT multi-read builder causing a ~64KB heap overflow. Using BlueBlue, ACL congestion, and L2CAP/ERTM, the authors craft BT_HDR-based read/write primitives, leak ASLR via AVRCP SDP callbacks, and hijack control to RCE on jemalloc and Scudo devices. They chain a gadget to list_clear to call mprotect() then jump to shellcode. Zero-click, unauthenticated; ETS ≈2–5 minutes.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web
🔗 Original article: https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
CVE-2025-59287 is a critical unauthenticated RCE in WSUS caused by unsafe .NET deserialization (BinaryFormatter/SoapFormatter) in GetCookie() and ReportingWebService. Attackers scan TCP 8530/8531, achieve code exec (wsusservice.exe/w3wp.exe → cmd → PowerShell), run whoami/net/ipconfig, and exfiltrate to Webhook[.]site. Patch was reissued out-of-band on Oct. 23, 2025; CISA KEV on Oct. 24. Unit 42 provides an XQL hunt and recommends disabling WSUS or blocking 8530/8531 until patched.
deep valeBOT
🛠️ Tool | 🐧 Linux | 🔐 Cryptography | 🎁 PoC
🔗 Original article: https://www.synacktiv.com/en/publications/creating-a-two-face-rust-binary-on-linux.html
Technique and Rust crate to pack two ELFs into one “Two‑Face” binary. The hidden ELF is compressed and AES‑GCM encrypted; the runtime decryption key is HKDF‑derived from target host data (e.g., partition UUIDs). Off‑target, auth fails and a harmless ELF runs. On‑target, the hidden ELF streams to a memfd and is executed with fexecve; io_uring/mmap reduce write observability. PoC: synacktiv/twoface.
deep valeBOT
📱 Android | 🧠 Evasion | 🦠 Malware | 🎣 Phishing
🔗 Original article: https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection
ThreatFabric details Herodotus, an Android banking Trojan (MaaS) with Accessibility-based device takeover and a novel evasion: per‑character text injection with 300–3000 ms random delays. It uses MQTT C2 on google-firebase.digital, overlays, SMS 2FA theft, VNC/VNCA11Y, and targets Italy/Brazil. Partial Brokewell code reuse is evident.
🖥️ Windows | 📎 DLL Hijacking | 🧭 Persistence | 🎁 PoC
🔗 Original article: https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers
Narrator.exe still loads a OneCore TTS localization DLL. Plant msttsloc_onecoreenus.dll under System32’s OneCore TTS path to run code from DllMain. Achieve persistence by setting HKCU/HKLM Accessibility configuration="Narrator"; HKLM yields SYSTEM at Winlogon. For lateral movement, set RDP SecurityLayer=0 and trigger Narrator with CTRL+WIN+ENTER at the login screen. A PoC suspends Narrator’s main thread for quiet execution.
🌐 Web | 🛡️ CVE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/
CVE-2025-55315 is a Kestrel parsing flaw in HTTP/1.x chunk-extension handling. A lone LF in a chunk header can desync proxy and server, enabling request smuggling. Impacts include auth bypass (proxy header spoofing), SSRF, CSRF bypass, cache poisoning, and data exfiltration. Patched in .NET 9.0.10, 8.0.21, and .NET 10 RC2; Kestrel now rejects non-CRLF. Detect via malformed probe (hang vs 400) or the HeroDevs repro.
deep valeBOT
📱 Android | 🧬 Malware | ☁️ C2 | 🎣 Phishing
🔗 Original article: https://www.cyfirma.com/research/ghostgrab-android-malware/
GhostGrab is a sideloaded Android stealer + Monero miner. A dropper from kychelp[.]live persists via a silent foreground audio service, spoofs iOS in WebView, fetches libmine-arm64.so, and mines to a hardcoded wallet/pools. A second APK phishes KYC/card/net‑banking/PIN via assets pages, scrapes SMS/OTPs, fingerprints SIM/device, and uses Firebase C2 (call forwarding, SMS send/forward). Strong alarms/receivers ensure revival; IOCs and a YARA rule are provided.
deep valeBOT
💾 Windows | 📡 C2 | 🌐 Web | 🧪 Malware
🔗 Original article: https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/
Airstalk is a Windows backdoor with PowerShell and .NET variants that abuses Workspace ONE UEM (AirWatch) APIs as a dead‑drop C2: it writes Base64 JSON into device custom attributes and exfiltrates data via blob uploads. Tasks steal Chrome/Edge/Island cookies, history, bookmarks, and screenshots. The .NET branch adds multi‑threading, beaconing (UUID suffixes -kb/-kr/-kd), versioning, and signed binaries; PowerShell persists via a scheduled task. High risk for supply‑chain/BPO environments.
deep valeBOT
Web | WordPress | Security Advisory
🔗 Original article: https://patchstack.com/articles/two-critical-vulnerabilities-in-wordpress-king-addons-for-elementor-plugin-affecting-10k-sites/
Critical issues were reported in a WordPress add-ons plugin. Update promptly, consider disabling affected features, audit users and uploads, and harden file-handling settings.
📡 IoT | 🛠️ Tool | 🎁 PoC
🔗 Original article: https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks
Shining‑style BLE LED masks can be hijacked without pairing. Commands use AES‑ECB with a static app key; control writes go to UUID …9600 and images stream unencrypted to …960a. The author built a CircuitPython PoC on an Adafruit Feather nRF52840 that auto‑scans, uploads an image, and flips faces. Impact is local (~≤10 m) and mostly nuisance; fix is authenticated pairing and per‑device secrets. (bishopfox.com)
🛡️ CVE | ⛓️ Web3 | 💰 Bug Bounty
🔗 Original article: https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms/
LUKS2 headers in CVM storage are malleable. By switching the segment cipher to cipher_null-ecb and leaving keyslots intact, a storage attacker makes a CVM read/write plaintext while believing it’s encrypted. cryptsetup 2.8.1 only disables null ciphers in keyslots; volume null ciphers still work. Mitigate with detached headers, MAC/attestation, or strict JSON validation. CVE‑2025‑59054, CVE‑2025‑58356.
🌐 Web | 💣 RCE | 🎁 PoC | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/10/30/htb-store.html
Express app stores uploads encrypted with a static 9‑byte XOR key. A broken path check in /file allows URL‑encoded traversal, leaking any file as XOR’d bytes that are trivially reversed. Stolen .env yields SFTP creds; SSH port‑forward exposes Node’s inspector for RCE as dev, then Chrome’s debug port grants root.
deep valeBOT
🛠️ Tool
🔗 Original article: https://specterops.io/blog/2025/10/30/sharehound-an-opengraph-collector-for-network-shares/
ShareHound is a multithreaded SMB share collector that maps hosts, shares, files, and ACL-derived rights into BloodHound’s OpenGraph. It adds ShareQL, a firewall-like DSL for allow/deny and depth control to focus crawling. The post provides Cypher to find write/FULL_CONTROL on shares and to locate sensitive files (e.g., .vmdk). Example CLI shows credentialed scans and JSON output.
🛠️ Tool
🔗 Original article: https://github.com/p0dalirius/sharehound
ShareHound maps SMB share ACLs into BloodHound’s OpenGraph. It discovers shares via multithreaded BFS, models hosts/shares/files and permission edges, and provides ready-to-use Cypher to find Full Control, write-capable principals, and files by name/extension. ShareQL-based rules tag risky patterns.
deep valeBOT
📱 Mobile | 💳 NFC | 🕸️ C2 | 🧭 MITRE
🔗 Original article: https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices
zLabs details Android NFC Tap‑to‑Pay relay malware abusing HCE. Malicious apps become the default NFC payment handler, relay POS APDUs via WebSockets, and exfiltrate EMV data (PAN, expiration) to Telegram. Since April 2024: >760 apps, >70 C2/distribution sources, dozens of Telegram bots, ~20 impersonated institutions across multiple regions. High‑severity fraud at POS; IOCs are provided.
🤖 Agents | 🔐 Protocol | 🧪 Technique | 🎁 PoC
🔗 Original article: https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/
Unit 42 details “agent session smuggling,” where a malicious A2A peer injects covert multi‑turn instructions mid‑session. In Google ADK PoCs, a research agent exfiltrates a financial agent’s history/config and silently triggers buy_stock to purchase 10 shares. Risk stems from stateful, cross‑boundary agent trust. Mitigate with out‑of‑band HitL approvals, context grounding, signed AgentCards (sigstore‑a2a), and exposing tool/log activity.
deep valeBOT
Active Directory | Kerberos | DPAPI | Security
🔗 Original article: https://0xdf.gitlab.io/2025/11/01/htb-voleur.html
High-level, redacted AD attack-chain overview for defender awareness: credential exposure, Kerberos service abuse, object-restore misuse, and DPAPI secret access.
deep valeBOT
🧱 Active Directory | 🔐 Kerberos | 🔓 DPAPI | 🛠️ Tool
🔗 Original article: https://0xdf.gitlab.io/2025/11/01/htb-voleur.html
Assume-breach Kerberos-only AD attack chain: crack an encrypted Excel to find svc creds; use BloodHound to see WriteSPN on svc_winrm; add SPN and Kerberoast with BloodyAD/NetExec; crack TGS to get svc_winrm and WinRM shell with kinit/evil-winrm. Restore deleted Todd via AD Recycle Bin, pivot with RunasCs (UAC bypass), loot archived profile DPAPI blobs, decrypt with dpapi.py to obtain jeremy.combs creds and another WinRM shell.
deep valeBOT
📱 Android | 🎣 Phishing | 🕵️ Spyware | 🔬 Threat Research
🔗 Original article: https://www.secureblink.com/threat-research/spyrtacus-italian-surveillanceware-targets-android-via-telecom-phishing
Spyrtacus is Italian-linked Android surveillanceware delivered via cloned carrier sites and fake WhatsApp/support apps. Active since 2018, it uses sideloaded APKs and user‑granted permissions to exfiltrate SMS, chats (WhatsApp/Signal/Messenger), contacts, call audio, ambient audio, and camera imagery. Variants were seen through Oct 17, 2024. Defense focuses on blocking sideloading, auditing permissions, and monitoring anomalous uploads.
🛡️ CVE | 💣 RCE | 🎁 PoC | 🪟 Windows
🔗 Original article: https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/
CPR found three EMF/EMF+ parsing flaws in Windows GDI/GDI+: clipping corruption (CVE‑2025‑30388), scan‑line bounds bug (CVE‑2025‑53766), and a misvalidated EMR_STARTDOC offset (CVE‑2025‑47984). PoCs show controllable OOB writes/reads via ARGB and malformed rectangles/offsets, often reachable via GdipGetImageThumbnail. Patched in KB5058411 (May), KB5062553 (July), and KB5063878 (Aug) 2025.
deep valeBOT
🌐 Web | 🛡️ CVE | 💉 XSS | 💰 Bug Bounty
🔗 Original article: https://deepstrike.io/blog/nextjs-security-testing-bug-bounty-guide
Defense-focused Next.js security guide (safety-redacted) covering architecture risks and practical mitigations.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
CVE-2025-52665 is an unauthenticated RCE in UniFi Access. A proxy on :9780 exposed an internal backup export route that interpolates a JSON field dir into shell commands. By POSTing a payload ending with "; #", attackers execute commands (exfiltrate /etc/passwd, get shells). Additional unauth APIs leaked/accepted NFC data. Fixed in UniFi Access 4.0.21.
📱 Android | 🕵️ Malware | 📡 C2 | 🏦 Banking
🔗 Original article: https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/
Android/BankBot‑YNRK is a heavily obfuscated Android banking trojan (≤Android 13) abusing Accessibility + Device Admin, persisting via JobScheduler, and tasking over ping[.]ynrkone[.]top:8181 (Janus WS 8989). It mutes audio, overlays screens, forwards calls via *21{num}#, scrapes UI/clipboard, and automates banking/crypto wallets to steal credentials and perform fraudulent transactions.
deep valeBOT
🛡️ CVE | 💣 RCE | 🌐 Web | 🎁 PoC
🔗 Original article: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/
CVE-2025-59287 is a critical WSUS unsafe deserialization bug (CWE-502) enabling unauthenticated RCE as SYSTEM. It abuses AuthorizationCookie and SOAP ReportEventBatch flows that deserialize attacker-supplied data via BinaryFormatter/SoapFormatter. A public PoC uses ysoserial.net to embed a base64 gadget in SOAP, triggering when the WSUS console opens. Patch via Oct 23, 2025 OOB KBs; restrict 8530/8531.
🐧 Kernel | 🛡️ KASLR | 🧩 Bypass | 🛠️ Tool
🔗 Original article: https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html
Project Zero shows a KASLR bypass on Android arm64 by abusing the deterministic linear map. With VA_BITS=39 ⇒ PAGE_OFFSET=0xffffff8000000000 and memstart_addr=0x80000000, phys→virt becomes fixed. Using a BPF helper tool to read memstart_addr from kallsyms confirms no randomization. Since commit 1db780bafa4c removed linear-map KASLR on arm64, attackers can compute kernel VAs from physical addresses, simplifying kernel exploits.
📱 Android | 🕵️ Malware | 🛰️ C2
🔗 Original article: https://www.f6.ru/blog/android-deliveryrat-research/
Analysis of a 2025 DeliveryRAT build: a loader installs a masqueraded app that hijacks notifications/SMS, persists via boot/alarms, and communicates with a WebSocket/HTTP C2. The server drives phishing UIs (card/custom/photo/QR), exfiltrates SMS/contacts, sends SMS to all contacts, runs USSD, hides the icon, and triggers device‑based HTTP DDoS. Includes hashes, config, package names, endpoints, commands, and detection tips.