Search:

Last Week in Security (LWiS) - 2025-12-15

Moonwalk++ stack telemetry bypass (@KlezVirus), a pile of Mediatek CVEs (@hyprdude), AppleScript decompiler (@__pberba__), SCOM hacking (@unsigned_sh0rt + @breakfix), .NET SOAP disaster (@chudyPB), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-12-08 to 2025-12-15.

News

  • Criminals Using Altered Proof-of-Life Media to Extort Victims in Virtual Kidnapping for Ransom Scams - It's pretty remarkable what self-hostable AI models can produce (Nano Banana Pro isn't self-hostable, but WAN2.2 is). It's time to set up a safe word if you haven't already.
  • Stop Hacklore! - "Hacklore.org exists to separate myth from reality. Our goal is to help everyday people and small organizations focus on the simple, fact-based steps that truly protect their data and devices—keeping software up to date, using strong passwords and passkeys, using a password manager, and enabling multi-factor authentication." I hope we can stop mandatory password changes without evidence of a breach!
  • The (successful) end of the kernel Rust experiment - "Rust in the kernel is no longer experimental — it is now a core part of the kernel and is here to stay." As Google has shown, memory safe languages introduce far fewer memory safety bugs than C/C++.
  • Atlanta activist charged with wiping phone before CBP search - GrapheneOS has a "Duress PIN" feature that will wipe the device and eSIMs when entered. It would be interesting to know if Samuel entered the PIN himself or if a CBP agent did it after being told the PIN. The incident happened almost a year ago, but is just now going to court after an arrest on December 4th while being stopped over an issue with a vehicle tail light led to a grand jury indictment for the wiping of the phone a year ago.

Techniques and Write-ups

  • A look at an Android ITW DNG exploit - Much like the iOS FORCEDENTRY exploits this write up details a "zero click" image based exploit for Android. Looks like it was targeting WhatsApp users with Samsung phones. In this case the DNG image parser on Samsung phones specifically was able to be exploited to execute arbitrary code. Of note, memory tagging extensions (MTE) would have prevented this but are disabled by default on Samsung phones. iOS is not immune to this type of exploit, as the most recent iOS update 26.2 fixed a AppleJPEG parsing vulnerability (as well as a few actively exploited WebKit vulnerabilities).
  • Malware Just Got Its Free Passes Back! - SilentMoonwalk was a great advancement when it released, now Moonwalk++ (or is it --?) is here with some cleaver stack modification that uses "desync gadgets" instead of fixed registers or instruction sequences.
  • The FreePBX Rabbit Hole: CVE-2025-66039 and others - "The main pre-requisite for unauthenticated exploitation is having FreePBX configured with either “webserver” authentication type or no authentication at all." Not exploitable in the default configuration.
  • mediatek? more like media-rekt, amirite. - 19+ vulnerabilities in Mediatek's MT76xx and MT7915 Wifi chipset family with PoCs for each. Bonus points of the ridiculous justification for severity ratings from Mediatek.
  • Decompiling run-only AppleScripts - Today I learned you can compile AppleScript.
  • Azure Seamless SSO: When Cookie Theft Doesn’t Cut It - Azure Seamless SSO allows users to sign in to apps using Azure AD, but get the actual Kerberos tickets from the on-premises domain controller. In this attack path a user's password is known, and using Azure Seamless SSO the attacker is able to bypass conditional access policies and take over the domain using Automation Runbooks.
  • SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1) - It turns out way more enterprises are using Microsoft's System Center Operations Manager (SCOM) than I thought, and Garrett Foster is here to use it to escalate privileges, harvest credentials, and compromise anything SCOM manages. Appreciate the shout out for Ludus in the acknowledgements section!
  • SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2) - Matt Johnson digs deep into the client/server communication in Microsoft's System Center Operations Manager (SCOM) and ends up writing his own client to interact with SCOM, including the ability to decrypt stored credentials and policies. The domain used in the examples is the default Ludus AD domain (ludus.domain) 😊.
  • The Fragile Lock: Novel Bypasses For SAML Authentication - Parser inconsistencies strike again resulting in a full authentication bypass in Ruby and PHP SAML implementations.
  • How we got hit by Shai-Hulud: A complete post-mortem - A look at how one company detected and responded to the latest JavaScript supply chain attack. Now consider if the attacker hadn't been so loud. How long could the attacker have persisted on the developer's machine? Notice the detection was due to GitHub noise, nothing from the endpoint...
  • SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL - The Simple Object Access Protocol (SOAP) has never been "simple." In fact, this blog comes with a [PDF] 92 page whitepaper, and delivers some delicious pre-authentication remote code execution exploits. Microsoft not only refused to fix the underlying issue in .NET, but then refused to fix vulnerabilities that leverage the issue in their own applications!

Tools and Exploits

  • Moonwalk-- - Moonwalk++: Simple POC Combining StackMoonwalking and Memory Encryption.
  • mediarekt-2025 - PoCs for Mediatek CVEs affecting MT7622/MT7915 and others.
  • applescript-decompiler - A decompiler for run-only applescripts.
  • SharpSCOM - A C# utility for interacting with SCOM.
  • SCOM-Deployment-with-Ansible-and-Terraform - Easy to deploy SCOM setup that makes use of Terraform and Ansible. [If you're not using Ludus and ludus_scom for your lab]
  • byvalver - takes shellcode with null-bytes & "denullifies" it.
  • Find-AdminAccess - This C# tool sprays for admin access over the entire domain.
  • CVE-2025-53772 - POC for cve-2025-53772 a remote code execution vulnerability in Microsoft Web Deploy (msdeploy) caused by unsafe deserialization of HTTP header data.
  • SessionHop - Windows Session Hijacking via COM.
  • Lamperlv3 - Third iteration of Lamperl, a Linux agent for the Adaptix C2 being developed for a blog post.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.