MongoBleed (CVE-2025-14847) - Unauthenticated Memory Leak PoC

A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level. 

Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.

Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/

Dork:

Shodan: product:"MongoDB"
HUNTER: product.name="MongoDB"
ZoomEye Dork: app="MongoDB"

Affected versions:

8.2.0 to 8.2.2
8.0.0 to 8.0.16
7.0.0 to 7.0.27
6.0.0 to 6.0.26
5.0.0 to 5.0.31
4.4.0 to 4.4.29
4.2.0 and later
4.0.0 and later
3.6.0 and later

HeapHunter

A unique technique that leverages the inner working of C++, specifically Pure Virtual Functions and Abstract Classes, to hijack AMSI without patching any RX in a .text section memory.

#malware_development
#malwaredev
#amsi_bypass

@ZwLowLevel
https://github.com/Yair-Men/HeapHunter

Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks

This is the big one. Their social login API at /member/auth/thirdLogin doesn't verify OAuth tokens. It just accepts an email and a Google ID directly from the client.

#web_security
#pentesting_web

@ZwLowLevel
https://bobdahacker.com/blog/petlibro

Have you tried turning it off and on again?

The article explains why the classic advice “turn it off and on again” is still effective in modern computing. It argues that software failures are inevitable due to system complexity, and restarting often clears temporary states, bugs, or resource issues. Rather than treating this as a weakness, the author suggests that software should be designed to fail gracefully and make recovery — such as restarting or reinstalling — simple and reliable.

@ZwLowLevel
https://eblog.fly.dev/onoff.html

DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices

The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits.

#binary_exploitation
#exploitation
#android_malware

@ZwLowLevel
https://media.ccc.de/v/39c3-dngerouslink-a-deep-dive-into-whatsapp-0-click-exploits-on-ios-and-samsung-devices

NtQuery(*) is a native powerful API!

Thread Name Calling Injection

This technique abuses Windows APIs originally designed for setting and retrieving thread names (denoscriptions) to inject shellcode or load DLLs into a remote process.

#malware_development
#malwaredev
#maldev
@ZwLowLevel

Time Traveling Exploitation: Remote Code Execution in a 10.000 Day Old Game Protocol

#reverse_engineering
#reversing

@ZwLowLevel
https://youtu.be/7dXaGKF-73Y?si=MUMcmGFiPquAXMGw=MUMcmGFiPquAXMGw