ATTACKING UNIX SYSTEMS VIA CUPS, PART I

👤 by Simone Margaritelli

A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).

Entry Points
• WAN / public internet: a remote attacker sends an UDP packet to port 631. No authentication whatsoever.
• LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD advertisements and achieve the same code path leading to RCE.

RCE chain
• Force the target machine to connect back to our malicious IPP server.
• Return an IPP attribute string that will inject controlled PPD directives to the temporary file.
• Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.


📝 Contents:
● Summary
● Intro
● What is cups-browsed?
● Stack Buffer Overflows and Race Conditions
● Back to found_cups_printer
● Internet Printing Protocol
● PostScript Printer Denoscription
● The problematic child: foomatic-rip
● Remote Command Execution chain
● Personal Considerations
● One More Thing


https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

🤠 A notorious RCE in Zimbra, CVE-2024-45519 – here’s our expert breakdown!

High resolution

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

👤 by Harsh Jaiswal & Rahul Maini

In this blog post, authors will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab.

This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response and bypass critical security checks.

📝 Contents:
● Introduction
● SAML Message Verification
• How SAML Signatures Work?
• How digest and signature ensure integrity?
● Ruby-SAML Bypass
• Bypassing Signature Validation
● Conclusion

https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/

🎤✨ Our security researcher, Konstantin Polishin, presented “Red Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Team” at #ROOTCON18 🚀

Recording: https://youtube.com/watch?v=6nnZJiL0Tgk

💾 Check out our latest publication on DMA attacks via SD cards!

The article was written by our researcher Gesser.

➡️ https://swarm.ptsecurity.com/new-dog-old-tr

🇻🇳 The Positive Hack Talks in Vietnam has finished!

Slides from our researcher Arseniy Sharoglazov: https://static.ptsecurity.com/events/exch-vietnam.pdf

Wordlist: https://github.com/mohemiv/dodgypass

🎁 Includes a PoC for MyQ Unauthenticated RCE! (CVE-2024-28059)

🇻🇳 At the Positive Hack Talks in Hanoi, our blue team member naumovax shared valuable insights:

1️⃣ Architecture of an automation tool for detecting malware in the network
2️⃣ Key features you should add to your tool
3️⃣ Our refined Suricata rules

Link 👉 https://static.ptsecurity.com/events/stratocaster-how-we-automated-the-routine-search-for-unknown-malware-in-the-network-traffic.pdf

Link to our Suricata rules: https://rules.ptsecurity.com/

Exploiting SSTI in a Modern Spring Boot Application (3.3.4)

👤 by parzel

The article explores exploiting a Server-Side Template Injection (SSTI) vulnerability in a Spring Boot 3.3.4 application using Thymeleaf, leading to Remote Code Execution (RCE). It highlights the process of injecting malicious input to trigger Java reflection and bypass security defenses in modern framework.

The post provides a detailed walkthrough of achieving RCE despite the robust safeguards present, emphasizing the complexity of exploiting such vulnerabilities in contemporary applications.

📝 Contents:
● Identifying the Bug
● Facing Problems
● Bypassing the Defenses
● Developing the Exploit

https://modzero.com/en/blog/spring_boot_ssti/

📟 Our researcher a1exdandy has uncovered vulnerabilities in GD32 microcontrollers (GigaDevice) that bypass protection mechanisms, allowing memory extraction.

The article 👉 https://swarm.ptsecurity.com/gigavulnerability-readout-protection-bypass-on-gigadevice-gd32-mcus/

🔥 The "impossible" XXE in PHP? Not so impossible anymore.

Our researcher Aleksandr Zhurnakov discovered an interesting combination of PHP wrappers and a feature of XML parsing in libxml2 to exploit it.

Read: https://swarm.ptsecurity.com/impossible-xxe-in-php/

Next.js and the corrupt middleware: the authorizing artifact

👤 by Rachid Allam & Yasser Allam

Researchers have discovered a critical vulnerability in Next.js, a popular framework for building web applications. The flaw allows attackers to bypass middleware responsible for request processing, including authentication and path rewrites.

By adding the x-middleware-subrequest header with a specific value, an attacker can completely ignore middleware execution, gaining unauthorized access to protected resources. Additionally, the vulnerability can be exploited for denial-of-service (DoS) attacks by poisoning the cache, leading to service disruption.

Many versions of Next.js are affected, making this a widespread security concern.

📝 Contents:
● The Next.js middleware
● The authorizing artifact artifact: old code, 0ld treasure
• Execution order and middlewareInfo.name
● The authorizing artifact: nostalgia has its charm, but living in the moment is better
• /src directory
• Max recursion depth
● Exploits
• Authorization/Rewrite bypass
• CSP bypass
• DoS via Cache-Poisoning (what?)
• Clarification
● Security Advisory - CVE-2025-29927
● Disclaimer
● Conclusion

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE

👤 by Egidio Romano

The article analyzes a critical Unauthenticated Remote Code Execution vulnerability (CVE-2025-48827) in vBulletin, which becomes exploitable when running on PHP 8.1 or newer.

The vulnerability stems from vBulletin’s misuse of ReflectionMethod::invoke(), which in PHP 8.1+ no longer blocks access to protected methods by default. As a result, attackers can remotely trigger sensitive internal functions originally meant to be inaccessible and achieve code execution on the server.

📝 Contents:
● The Vulnerability
● The vBulletin Vulnerability
● Exploiting vBulletin: Path to Pre-Auth RCE
● Conclusion

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

⚠️ We've reproduced CVE-2025-49113 in Roundcube.

This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.

If you're running Roundcube — update immediately!

🦊 Mozilla Foundation fixed CVE-2025-6430, discovered by our researcher Daniil Satyaev!

This vulnerability allows the Content-Disposition: attachment header to be ignored if the page is opened using <embed> or <object>, resulting in files being displayed instead of downloaded.

🧠 Our researcher Sergey Tarasov discovered a vulnerability (CVE-2025-49689) in NTFS on MS Windows.

The article dives into the exploitation path, file system internals, VHD format, and more.

🔗 Read the article: https://swarm.ptsecurity.com/buried-in-the-log-exploiting-a-20-years-old-ntfs-vulnerability/

😈 Read the new article "Daemon Ex Plist: LPE via MacOS Daemons" by our researcher Egor Filatov.

This research reveals a vulnerability affecting popular apps like Mozilla VPN, Tunnelblick & more.

https://swarm.ptsecurity.com/daemon-ex-plist-lpe-via-macos-daemons/

👑 Our researcher has discovered LPE in VMWare Tools (CVE-2025-22230 & CVE-2025-22247) via VGAuth!

Write-up by the one who broke it: Sergey Bliznyuk

https://swarm.ptsecurity.com/the-guest-who-could-exploiting-lpe-in-vmware-tools/

🚨 We've launched dbugs.ptsecurity.com, a new home for vulnerabilities. More than CVEs. More than MITRE.

✅ Trends & Insights
✅ AI-generated, multi-source vulnerability denoscriptions
✅ Researcher credits

Explore now: https://dbugs.ptsecurity.com

📱 New article by our researcher Artem Kulakov: Injection for an athlete.

Read about a vulnerability discovered in the Garmin Connect mobile application:

https://swarm.ptsecurity.com/injection-for-an-athlete/