An Evening with Claude (Code)
#xpn
A deep dive into discovering CVE-2025-64755, a vulnerability in Claude Code v2.0.25. This post walks through the process of reversing the obfuscated Claude Code JavaScript, and exploiting weak regex expressions to achieve code execution unprompted.
via XPN InfoSec Blog
#xpn
A deep dive into discovering CVE-2025-64755, a vulnerability in Claude Code v2.0.25. This post walks through the process of reversing the obfuscated Claude Code JavaScript, and exploiting weak regex expressions to achieve code execution unprompted.
via XPN InfoSec Blog
Cracking the Crystal Palace
#rastamouse
If you follow this blog, you'll know I've been posting about Crystal Palace a LOT recently, mostly from an attack perspective. Today, I thought I'd channel my blue-teamer alter ego and look at Crystal Palace from a defence perspective. That is, are there any
via Rasta Mouse Blog
#rastamouse
If you follow this blog, you'll know I've been posting about Crystal Palace a LOT recently, mostly from an attack perspective. Today, I thought I'd channel my blue-teamer alter ego and look at Crystal Palace from a defence perspective. That is, are there any
via Rasta Mouse Blog
Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS
#specterops
Identifying EPA enforcement for more popular rel
via SpecterOps Blog (author: Nick Powers)
#specterops
Identifying EPA enforcement for more popular rel
via SpecterOps Blog (author: Nick Powers)
PortSwigger x TryHackMe: Supporting Advent of Cyber
#portswigger
Every December, TryHackMe’s Advent of Cyber brings the security community together around a simple idea: learn something new by getting hands-on. Each day during the festive season reveals a beginner-
via PortSwigger Blog
#portswigger
Every December, TryHackMe’s Advent of Cyber brings the security community together around a simple idea: learn something new by getting hands-on. Each day during the festive season reveals a beginner-
via PortSwigger Blog
Release Out: Finally, Some REST
#cobaltstrike
The REST API was a major feature of the 4.12 release and forms part of a broader ongoing change in the Cobalt Strike ecosystem. Therefore, we wanted to dedicate a blog post to explain the rationale behind it, discuss the architecture, and provide hands-on examples to get our customers up and running. In addition to [...]
via Cobalt Strike Blog (author: Pieter Ceelen)
#cobaltstrike
The REST API was a major feature of the 4.12 release and forms part of a broader ongoing change in the Cobalt Strike ecosystem. Therefore, we wanted to dedicate a blog post to explain the rationale behind it, discuss the architecture, and provide hands-on examples to get our customers up and running. In addition to [...]
via Cobalt Strike Blog (author: Pieter Ceelen)
PIC Symphony
#rastamouse
Raffi just released another update to Crystal Palace, which serves to improve the way specification files are handled by making them more modular.
Tradecraft Orchestration in the Garden
What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local
via Rasta Mouse Blog
#rastamouse
Raffi just released another update to Crystal Palace, which serves to improve the way specification files are handled by making them more modular.
Tradecraft Orchestration in the Garden
What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local
via Rasta Mouse Blog
What Will Shape Cybersecurity in 2026: AI Speed, Expanding Attack Surfaces, and Specialized Red Teams
#bishopfox
2026 will hit cybersecurity like a fast-forward button: AI moves quicker than governance, attack surfaces sprawl into the physical world, and red teams get hyper-specialized. Here’s what’s coming—and how to stay ahead before “optional” becomes “too late.”
via BishopFox Blog
#bishopfox
2026 will hit cybersecurity like a fast-forward button: AI moves quicker than governance, attack surfaces sprawl into the physical world, and red teams get hyper-specialized. Here’s what’s coming—and how to stay ahead before “optional” becomes “too late.”
via BishopFox Blog
What is a TrustedSec Program Maturity Assessment (PMA)?
#trustedsec
The TrustedSec PMA is a tactical approach to evaluating the components, efficiency, and overall maturity of an organization’s Information Security program.Unlike a traditional compliance audit, the PMA is designed as a…
via TrustedSec Blog (author: Jonathan White)
#trustedsec
The TrustedSec PMA is a tactical approach to evaluating the components, efficiency, and overall maturity of an organization’s Information Security program.Unlike a traditional compliance audit, the PMA is designed as a…
via TrustedSec Blog (author: Jonathan White)
Arista NextGen Firewall XSS to RCE Chain
#bishopfox
Arista flagged three NG Firewall bugs as “limited.” Our researchers proved otherwise: real-world remote code execution is possible, and current patches don’t fully fix the root issues. Here’s what’s vulnerable, what we validated, and the steps to cut exposure now.
via BishopFox Blog
#bishopfox
Arista flagged three NG Firewall bugs as “limited.” Our researchers proved otherwise: real-world remote code execution is possible, and current patches don’t fully fix the root issues. Here’s what’s vulnerable, what we validated, and the steps to cut exposure now.
via BishopFox Blog
How to detect React2Shell with Burp Suite
#portswigger
Detecting React2Shell with Burp Suite React2Shell vulnerabilities in Next.js applications are now scannable across Burp Suite, making it fast to validate your exposure and begin automated coverage usi
via PortSwigger Blog
#portswigger
Detecting React2Shell with Burp Suite React2Shell vulnerabilities in Next.js applications are now scannable across Burp Suite, making it fast to validate your exposure and begin automated coverage usi
via PortSwigger Blog
Ghostwriter v6.1 — Playing Fetch with BloodHound
#specterops
Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded caption editor objects, and a collection of usability, SSO/MFA, and template improvements. This release streamlines workflows, enhances team collaboration, and tightens the connection between assessment tooling and reporting.
via SpecterOps Blog (author: Christopher Maddalena)
#specterops
Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded caption editor objects, and a collection of usability, SSO/MFA, and template improvements. This release streamlines workflows, enhances team collaboration, and tightens the connection between assessment tooling and reporting.
via SpecterOps Blog (author: Christopher Maddalena)
A Remote Pre-Authentication Overflow in LLDB's debugserver
#objectivesee
In this guest blog post, Nathaniel Oh, details a recent bug he discovered and reported to Apple: a remote pre-authentication buffer overflow in LLDB’s debugserver, now patched as CVE-2025-43504.
via Objective-See Blog
#objectivesee
In this guest blog post, Nathaniel Oh, details a recent bug he discovered and reported to Apple: a remote pre-authentication buffer overflow in LLDB’s debugserver, now patched as CVE-2025-43504.
via Objective-See Blog
The Fragile Lock: Novel Bypasses For SAML Authentication
#portswigger
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
via PortSwigger Research
#portswigger
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
via PortSwigger Research
Holy Shuck! Weaponizing NTLM Hashes as a Wordlist
#trustedsec
<p>Password reuse is common in Active Directory (AD). From an attacker’s perspective, it is a reliable path to lateral movement or privilege escalation. Most IT teams recognize the risk, but longer passwords and password…</p>
via TrustedSec Blog (author: Austin Coontz)
#trustedsec
<p>Password reuse is common in Active Directory (AD). From an attacker’s perspective, it is a reliable path to lateral movement or privilege escalation. Most IT teams recognize the risk, but longer passwords and password…</p>
via TrustedSec Blog (author: Austin Coontz)
Git SCOMmit – Putting the Ops in OpsMgr
#specterops
TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know, here at SpecterOps we have been big on SCCM. See https://specterops.io/blog/category/research/?s=sccm. But SCCM is only a part of the larger Microsoft System Center product suite. Among the suite’s other offerings is System Center Operations Manager, more commonly recognized by […]
via SpecterOps Blog (author: Zach Stein)
#specterops
TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know, here at SpecterOps we have been big on SCCM. See https://specterops.io/blog/category/research/?s=sccm. But SCCM is only a part of the larger Microsoft System Center product suite. Among the suite’s other offerings is System Center Operations Manager, more commonly recognized by […]
via SpecterOps Blog (author: Zach Stein)
Linux Process Injection via Seccomp Notifier
#outflank
This post demonstrates the use of seccomp user notifications to inject a shared library into a Linux process. I haven’t seen this combination documented as a process injection technique before, and it has some benefits over alternatives. In summary, seccomp user notifications enable user-space injection from parent to child without any
1. Seccomp user notifications were introduced in Linux kernel version 5.0, but this PoC relies on
2. Requires you to create the target process (parent-to-child injection only).
3. The injected code runs with the same UID, namespaces, and LSM label as the target process.
via Outflank Blog (author: Kyle Avery)
#outflank
This post demonstrates the use of seccomp user notifications to inject a shared library into a Linux process. I haven’t seen this combination documented as a process injection technique before, and it has some benefits over alternatives. In summary, seccomp user notifications enable user-space injection from parent to child without any
LD_* environment variables or privileged capabilities, regardless of the ptrace_scope configuration. However, seccomp user notifications have some notable limitations:1. Seccomp user notifications were introduced in Linux kernel version 5.0, but this PoC relies on
SECCOMP_ADDFD_FLAG_SEND (Linux 5.14+) to avoid TOCTOU issues when hooking openat.2. Requires you to create the target process (parent-to-child injection only).
3. The injected code runs with the same UID, namespaces, and LSM label as the target process.
via Outflank Blog (author: Kyle Avery)
Operationalizing BloodHound Enterprise: Security automation with Tines
#specterops
BloodHound Enterprise gives you all the pieces you need: the data, the analysis, the visualizations. What we don’t dictate is how you put it all together. Your workflows, your tools, your SOC. This is the first post in our ‘Operationalizing BloodHound Enterprise’ series, showing practical ways to integrate BHE into your security operations. Theoretical risk […]
via SpecterOps BH Blog (author: Hugo van den Toorn)
#specterops
BloodHound Enterprise gives you all the pieces you need: the data, the analysis, the visualizations. What we don’t dictate is how you put it all together. Your workflows, your tools, your SOC. This is the first post in our ‘Operationalizing BloodHound Enterprise’ series, showing practical ways to integrate BHE into your security operations. Theoretical risk […]
via SpecterOps BH Blog (author: Hugo van den Toorn)
A Hacker Holiday Gift Guide: 2025 Edition
#bishopfox
Shopping for a hacker? Skip the gimmicks. Here are the tools, training, and books they actually want: Flipper Zero, Proxmark3, Shodan, HTB, and must-read vuln research picks, perfect for deal-season lab upgrades.
via BishopFox Blog
#bishopfox
Shopping for a hacker? Skip the gimmicks. Here are the tools, training, and books they actually want: Flipper Zero, Proxmark3, Shodan, HTB, and must-read vuln research picks, perfect for deal-season lab upgrades.
via BishopFox Blog
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)
#specterops
TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and ultimately compromise the entire management group and its monitored infrastructure. Intro At this point, I think it’s acceptable for me to just start each blog with a screenshot of Duane triggering me to look into […]
via SpecterOps Blog (author: Garrett Foster)
#specterops
TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and ultimately compromise the entire management group and its monitored infrastructure. Intro At this point, I think it’s acceptable for me to just start each blog with a screenshot of Duane triggering me to look into […]
via SpecterOps Blog (author: Garrett Foster)
SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)
#specterops
TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain configurations and wrote a tool to help automate their recovery. To skip straight to the tool, go here https://github.com/breakfix/SharpSCOM Introduction In our previous blog post, we demonstrated a series of attacks focused on attacking the SCOM server directly. Specifically, […]
via SpecterOps Blog (author: Matt Johnson)
#specterops
TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain configurations and wrote a tool to help automate their recovery. To skip straight to the tool, go here https://github.com/breakfix/SharpSCOM Introduction In our previous blog post, we demonstrated a series of attacks focused on attacking the SCOM server directly. Specifically, […]
via SpecterOps Blog (author: Matt Johnson)