May 27 2025 Last Week in Security (LWiS) - 2025-05-27

BadSuccessor (@YuG0rd), o3 finds SMB 0day (@seanhn), crashing defender (@InfoGuard_Labs), MDT looting (@Oddvarmoe), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-05-19 to 2025-05-27.

News

Tracking the Cost of Quantum Factoring - It could take 20x less qubits (1 million running for 1 week) than previously thought to factor Rivest–Shamir–Adleman (RSA) keys. The largest public functioning general-purpose quantum computer (IBM Condor) has 1,121 qubits. The national institute of standards says systems without post-quantum cryptography should be deprecated in 2030 and disallowed after 2035.
“Microsoft has simply given us no other option,” Signal says as it blocks Windows Recall - Windows Recall will screenshot nearly anything, including payment details, health records, and until this update, Signal desktop messages. Users who want to take legitimate screenshots or use a screen-reader have to toggle a setting in Signal which is off by default.
Self-hosting is having a moment. Ethan Sholly knows why. - We couldn't agree more. The price-per-dollar of "compute" (CPU+RAM+Disk) is so good right now you can self host entire networks easily.
[reddit] Someone just randomly joined my Tailnet - Tailscale has to manually input a list of shared email providers, otherwise the first person to sign up is the tailnet admin. Sounds like there is a change coming to make this a non-issue, and tailnet approvals is now on by default, but it's tech-debt coming back to bite Tailscale.
UAE Recruiting US Personnel Displaced by DOGE to Work on AI for its Military - "A UAE brigadier general received permission from the Pentagon to recruit former members of the Defense Digital Service to work on artificial intelligence for the UAE military — despite past warnings from US spy agencies and federal lawmakers that UAE could share AI technologies with China."
The Windows Subsystem for Linux is now open source - WSL2 is open source, WSL1 (Lxcore.sys) is not yet open source.

Techniques and Write-ups

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory - If there is a Windows Server 2025 domain controller, and you have any low-priv user in the network with the ability to create a delegated Managed Service Account (dMSA), or control an OU where it can be created, congrats! You've got Domain Admin! With all the press this has gotten, I wonder if it will be elevated from "won't fix" by the Microsoft Security Response Center. [Pastebin] This cypher query may be your best bet for detection right now (credit to @sekurlsa_pw).
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation - "No scaffolding, no agentic frameworks, no tool use... With o3 LLMs have made a leap forward in their ability to reason about code, and if you work in vulnerability research you should start paying close attention."
Argusee: A Multi-Agent Collaborative Architecture for Automated Vulnerability Discovery - The framework managed to find a vulnerability in the Linux USB protocol stack (CVE-2025-37891), and scored 100% on buffer overflow test cases from META CyberSecEval.
Attacking EDRs Part 4: Fuzzing Defender's Scanning and Emulation Engine (mpengine.dll) - The ability to crash Windows Defender is powerful, as a file that causes a crash can be packaged with an initial access or lateral movement payload to prevent scanning and detection.
Red Team Revelations: Exposing and Addressing Vulnerabilities in Ivanti Workspace Control - C# programs and static keys are a timeless classic. InvatiWorkspaceControlDecrypter is the tool.
Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw - Some embedded hacking, and a fun description on how they set up a remote exploitation lab.
Red Team Gold: Extracting Credentials from MDT Shares - Find creds and other goodies on Microsoft Deployment Toolkit (MDT) shares. Only thing this post is missing is a role for Ludus to setup MDT in a lab.
Understanding Integer Overflow in Windows Kernel Exploitation - Get your feet wet with Windows Kernel exploitation by triggering some blue screens with integer overflows.
Offensive Threat Intelligence - "It’s not about knowing threats, it’s about becoming them long enough to help others beat them." I would argue LWiS is "Offensive Threat Intelligence." You should be taking ideas and tools from this blog to improve your red/blue team.

Tools and Exploits

SharpSuccessor - SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai.
BadSuccessor.ps1 - BadSuccessor checks for prerequisites and attack abuse.
OnionC2 - C2 written in Rust & Go powered by Tor network.
AI-Red-Teaming-Playground-Labs - AI Red Teaming playground labs to run AI Red Teaming trainings including infrastructure.
brc4_profile_maker - An interactive TUI tool to create Brute Ratel C4 profiles based on BURP browsing data.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

kunai - Threat-hunting tool for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.