Last Week in Security (LWiS) - 2025-07-14
LudusHound (@bagelByt3s), SpeechRuntimeMove (@ShitSecure), Havoc Pro (@C5pider), FortiWeb RCE (@SinSinology), SailPoint IQService RCE (@NetSPI), Altiris RCE (@lefterispan), WAF bypass (@nyxgeek ), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-07-07 to 2025-07-14.
News
- Havoc Professional: A Lethal Presence - Havoc made a splash when it was released on 2022-09-11. Now Paul (@C5pider) is gearing up to release a professional version with some unique features like a built in virtual machine.
- Exclusive: Meta won't tweak pay-or-consent model further despite risk of EU fines, sources say - Meta has had enough of what it sees as EU over regulation. If you take away the data collection that allows Meta to be profitable, and not enough EU users opt to pay for Meta services, I don't see why Meta would continue to operate in the EU. People have been conditioned to pay for services with their data, in part thanks to services like Facebook, but the genie is out of the bottle. Will EU citizens call for change if Meta pulls completely out of the EU? Would any other social media site dare to grow in the EU if they knew they could simply be shut off by regulators?
- UK Arrests Four in ‘Scattered Spider’ Ransom Group - The gang famous for calling up IT support and resetting employee passwords to gain access to sensitive systems is slowly getting arrested. The oldest was only 20 years old.
- About the hype around XBOW - "XBOW is an AI that is 1st on HackerOne," is a technically true statement, but with a lot of caveats.
- Swedish PM’s private address revealed by Strava data shared by bodyguards - This is at least the 4th public incident of OPSEC fails on Strava. Default public is a bad default. Previously it was U.S. Secret Service, or Emmanuel Macron's Bodyguards, or secret US army bases.
Techniques and Write-ups
- LudusHound: Raising BloodHound Attack Paths to Life - What if you could rebuild your/your customer's network in your lab, automatically? Every Active Directory object and relationship, including user accounts, group structures, delegation settings, GPO links, and domain trusts? Now you can thanks to Beyviel David's work! LudusHound connects to a BloodHound server via its API and creates a Ludus configuration file that can be used to build a network in Ludus. The community that's been building on Ludus, expanding it with features, roles, templates, and tools is really cool to see.
- Revisiting Cross Session Activation Attacks - A remote COM hijack that allows code execution in the context of a user session on a remote machine is a powerful lateral movement technique. Imagine having admin access to a machine that a domain admin is logged into, and getting a callback as the domain admin without having to dump credentials or inject into processes.
- Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - Unauthenticated SQL Injection. POC for CVE-2025-25257 also dropped. Yes, this one is NEW. Worth noting this was "discovered" in February so don't forget to hunt through your data from this year. There are some really fun tricks to SQLi exploitation in this write up from the king of RCE, Sina Kheirkhah.
- From Cheap IOT Toy to Your Smartphone: Getting Rce by Leveraging a Companion App - That app on your phone may open you up to exploits over the network when the package vulnerable libraries. Android still makes it difficult, but where there is a will, there is a shell.
- Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild - Raphael Mudge is in his F*** You era and I'm here for it. Can't we all just get along and respect the work of others? I wonder how much the marketing team was involved with the wording of the post? Mudge also released an update to Tradecraft Garden.
- GPUHammer: Rowhammer Attacks on GPU Memories are Practical - Will you give up 10% of your GPU speed and 6.25% of your GPU's memory capacity to prevent bit flips? I doubt it.
- Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key - You won't be surprised to find the service runs as SYSTEM.
- CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM - Sometime the endpoint detection and response (EDR) software is the initial access vector are the same.
- Azure's Front Door WAF WTF: IP Restriction Bypass - What determines the IP of a request? Microsoft thinks a header is good enough.
Tools and Exploits
- SpeechRuntimeMove - Lateral Movement as loggedon User via Speech Named Pipe COM & ISpeechNamedPipe + COM Hijacking.
- CVE-2025-48799 - This is PoC for CVE-2025-48799, an elevation of privilege vulnerability in Windows Update service.
- SharpSilentChrome - SharpSilentChrome is a C# project that "silently" installs browser extensions on Google Chrome or MS Edge by updating the browsers' Preferences and Secure Preferences files. Currently, it only supports Windows. [Check out Ludus in the PoC video!]
- wazuh-mcp-server - Repo to hold wazuh manager mcp server.
- frontdoor_waf_wtf - Script to check Azure Front Door WAF for insecure RemoteAddr variable.
- ExfilServer - Client-side Encrypted Upload Server Python Script.
- WDSFinder - A simple tool to identify WDS servers in Active Directory.
- NovaHypervisor - NovaHypervisor is a defensive x64 Intel host based hypervisor. The goal of this project is to protect against kernel based attacks (either via Bring Your Own Vulnerable Driver (BYOVD) or other means) by safeguarding defense products (AntiVirus / Endpoint Protection) and kernel memory structures and preventing unauthorized access to kernel memory.
- DoubleTeam - Listener that spawns a new tmux window for each incoming reverse shell + Supports listening on many ports.
- stitch - Rewrite and obfuscate code in compiled binaries.
- CVE-2025-48384 - PoC for CVE-2025-48384 - Breaking Git with a carriage return and cloning RCE. More info here.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- DCOMRunAs - Lateral movement with DCOM DLL hijacking.
- PiCCANTE - PiCCANTE is a powerful tool for exploring and reversing CAN busses of vehicles, based on Raspberry Pi Pico (any model).
- Neo4jWordlistHarvester - LdapWordlistHarvester but then with neo4j.
- Hacker Family Feaud Survey - Fill out this quick survey to create the answers to a "Hacker Family Feud" content for DEF CON 33.
- television - A cross-platform, fast and extensible general purpose fuzzy finder 📺.
- FindOldSIDTraces - A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory.
- LinkedIntel - LinkedIn recon the easy way.
- WatchWitch: Interoperability, Privacy, and Autonomy for the Apple Watch - Researchers reverse engineered the closed down ecosystem of Apple Watches and opened compatability with Android.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.