News

• Cultivating a robust and efficient quantum-safe HTTPS - Google is pushing post-Quantum cryptography into Chrome. Cloudflare is also on board.
• Google API Keys Weren't Secrets. But then Gemini Changed the Rules. - Formally public API keys (used for things like Google Maps API) can now expose sensitive things like files uploaded to gemini if the Google Cloud project they came from has the Generative Language API enabled.

Techniques and Write-ups

• Building virtual iPhone using VPHONE600AP component of recently released PCC firmware - It looks like it's possible to use the newly included "iPhone Research Environment Virtual Machine" of the Private Cloud Compute to spin up a working iOS 26 virtual machine on an ARM based mac.
• Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s)) - watchTowr researchers are scary. Piotr found a novel remote code execution vulnerability (bypassing prior patches), but it required authentication. So he found two authentication bypass 0days, but they were foiled by a "patch" that instructed admins to delete the jar file that contained the deserialization gadget used. Instead he found a different gadget that allows a connection to the local Postgres database and using that ran a malicious SQL to get SYSTEM level code execution. Code: watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.
• Total Recall – Retracing Your Steps Back to NT AUTHORITYSYSTEM - You know your red team is legit when your operators/devs are finding local privilege escalation vulnerabilities in Windows itself, and then bypassing the patches. The code at CVE-2025-60710 (a copy of the accidentally released first PoC) looks legitimate but does include binaries (Msi_EoP.msi, 5eeabb3.rbs) that have not been vetted. Be careful.
• From DDS Packets to Robot Shells: Two RCEs in Unitree Robots (CVE-2026-27509 & CVE-2026-27510) - The journey from unboxing a robot to finding remote code execution vulnerabilities.
• CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP - Some neat tricks in the "Exploitation" section if you find yourself with a CreateSubKey right, although it ends without a full explanation of the code execution. I suspect that since WMI providers are loaded on-demand there is a missing step to explicitly invoke a WMI query against Win32_Tpm class once the registry key is overwritten.
• Bypassing Apache FOP Postscript Escaping to reach GhostScript - "According to Apache FOP, this bug will not be fixed. Instead, the documentation will be improved on what kind of security properties users can expect from Apache FOP." 🫠
• Delinea Protocol Handler - Return of the MSI: RCE via Custom Launcher - More VPN client RCE this time via a protocol handler.
• What Windows Server 2025 Quietly Did to Your NTLM Relay - Windows Server 2025 ignores the value of LmCompatibilityLevel and never generate NTLMv1 client traffic.
• Abusing Cortex XDR Live Terminal as a C2 - You know we love some traitorware!
• Making the Hashcracky Hashcat Rules - Some great tips and tools for password cracking rule generation in this post.
• 100+ Kernel Bugs in 30 Days - What happens when you look at as many Windows drivers as you can get your hands on with AI assistance? Bugs. Lots of bugs.
• Building an AI Vishing Solution in 7 Days - I've warned about this many times before . It's real now.
• Telnetd Vulnerability Report - After the CVE for passing a "-f root" value for the USER environment variable to telnetd, Justin Swartz took another look at telnetd and dug up another variant of a CVE from 1999 using environment variables to set the binary path telnetd uses to localize the prompt. This allows him to copy /bin/sh with the SUID bit set and gain root access to the local machine.

Tools and Exploits

• PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

• airsnitch - A set of attacks that enable a guest user to bypass Wi-Fi client isolation. Or put differently, it allows an adversary who can connect to your network, either as a malicious insider or by connecting to a co-located open network, to 'bypass Wi-Fi encryption'. [PDF] Paper.
• Introducing MacNoise! - MacNoise is a modular macOS telemetry noise generator for EDR testing and security research. It generates real system events: network connections, file writes, process spawns, plist mutations, TCC permission probes, and more so security teams can validate that their EDR, SIEM, and firewall tooling detects what it is supposed to detect.
• redStack - Boot-to-Breach red team lab on AWS. Mythic, Sliver, and Havoc C2 behind a production-style Apache redirector. Deployed via Terraform.
• Nemesis 2.2 - "Nemesis 2.2 introduces a number of powerful new features focusing on large container processing, data processing agents, enhanced DPAPI support, and a host of performance improvements."
• TimeAfterFree - PHP 8 sandbox escape PoC demonstrating a disable_functions bypass on Unix-like systems.
• OpenAnt - An open source LLM-based vulnerability discovery product that helps defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.
• mquire - Linux memory forensics without external dependencies
• notion - A Mythic C2 profile that uses Notion as a covert communication channel.
• nerva - Fast service fingerprinting CLI for 120+ protocols (TCP/UDP/SCTP) - built by Praetorian
• gibson - Network monitoring tool that maps process-to-network connections, identifies cloud providers, and detects beaconing activity. Zero-flag agent binary for deployment, aggregation server, offline ASN lookup.
• ADPulse is an open-source Active Directory security auditing tool that connects to a domain controller via LDAP(S), runs 35 automated security checks, and produces detailed reports in console, JSON, and HTML formats.
• Tyche is a Mythic HTTPX Profile Generator used to create Malleable C2 Profiles.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• azureBlob - Azure Blob Storage C2 Profile for Mythic
• The World's Hardest Hacking Competition - Pwn2Own Documentary - A look into the Pwn2Own competitions and how Mozilla handles the 0day disclosures.
• The Internet Was Weeks Away From Disaster and No One Knew - 8 millions views on a very popular YouTube channel goes over everything from Linux to the xz backdoor. If you want to play with xz you can with Ludus' Malware Lab that includes the xz backdoor and an attacker machine.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.