If you are running JFrog Artifactory I highly recommend you to update. I recently reported a severe vulnerability (CVE-2024-4142) which is fixed now. For details see jfrog.com/help/r/jfrog-r…

In a new guest blog, #Pwn2Own winner Manfred Paul details CVE-2024-2887 - a bug he used to exploit both #Chrome and #Edge during the contest on his way to winning Master of Pwn. He breaks down the root cause and shows how he exploited it. Read the details at zerodayinitiative.com/blog/2024/5/2/…

I can't wait for my 1st offensivecon.

I'll be hanging around even before the conf. I hope to meet you there and discuss research 🤟

#OffensiveCon24 Agenda offensivecon.org/agenda/

[ZDI-24-370|CVE-2024-22061] Ivanti Avalanche WLInfoRailService Heap-based Buffer Overflow Remote Code Execution Vulnerability (CVSS 8.1; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/ZDI…

[ZDI-24-386|CVE-2024-24996] Ivanti Avalanche WLInfoRailService Heap-based Buffer Overflow Remote Code Execution Vulnerability (CVSS 9.8; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/ZDI…

SourceForge: Vulnerability in import feature leads to RCE! 🔥

Cybercriminals could have compromised SourceForge entirely, targeting millions of users worldwide through malicious software downloads. Read more in our latest blog post:

sonarsource.com/blog/dangerous…

#appsec #security

It's the largest #PatchTuesday in Microsoft's history, and Adobe has some patches as well. Join The Dustin Childs as he tries to make sense of this historic release. zerodayinitiative.com/blog/2024/4/9/…

I'll finally share details about my Exchange PowerShell deserialization research. I'm happy to do this during offensivecon!

[ZDI-24-347|CVE-2024-23478] SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 9.9; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/ZDI…

The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.

Please contact me if you would like a 15% discount on Full Stack Web Attack - Java & C# edition at ROMHack. Discounts are limited to the first 5 only!

Here are a few important dates about #HEXACON2024 so that you don't miss the boat ⛴️

So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them.
This is bug in GamingServices , non default service so impact is not high.
github.com/Wh04m1001/Gami…

My CRLF injection vulnerability in .NET FTP client has been described by our VRS team. Simple, yet fun vulnerability, which can sometimes lead to a nice impact.

Meet me in Seoul on TyphoonCon🌪️. This talk will be (as always) full of demos! #macosredteam

The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: code-white.com/blog/leaking-o…

We can relay back to the same machine using Kerberos relay instead of NTLM relay. I discovered this attack vector more than a year ago. I will describe it in detail in upcoming Black Hat Asia 2024 blackhat.com/asia-24/briefi… and introduce more interesting attacks.

[ZDI-24-184|CVE-2023-50232] Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability (CVSS 8.8; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/ZDI…

[ZDI-24-185|CVE-2023-50233] Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability (CVSS 8.8; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/ZDI…