BeanBeat has been aquired by Kurts Maultaschenfabrikle! You don't know what that means? Head over to apply-if-you-can.com to find out in challenges that, without exception, stem from real-world vulns #uncompromisingRealism #finestHacking

Using Telerik Reporting or Report Server? Patch now to fix 3 RCEs Markus Wulftange found (CVE-2024-8015, CVE-2024-8014, CVE-2024-8048). Telerik vulns have a history of being exploited by threat actors according to CISA Cyber Details at code-white.com/public-vulnera…

Team 🇩🇪 made it and participates in the next round of the hackerone #AmbassadorWorldCup! 🎉 Can't wait until next week to compete again for the sweet sixteen round 💪🏻 Thanks to the whole team and especially Lauritz svennergr m1tz Tobi Weißhaar ᴘᴀᴛʀɪᴄᴋ for giving everything!

Let’s go team 🇩🇪 🙃 and let‘s make it to the next round 💪🏼 #bugbounty HackerOne

Fellow Hackers! Next Sat I will host the first Intigriti Open Port Event Germany in Heidelberg with amazing #kaeferjaeger! The last spots are left to grab! 😱 Tell us in the comments why you should get one 🎟️ I will DM the winners 🎉 This is an in-person event only, not remote

Another live hacking event with the #kaeferjaeger . This time with Intigriti in Heidelberg and the awesome targets #Allegro . Had a great time and found a couple of bugs. #lhe #bughunting #bugbounty

I haven't posted in a while because of how the platform developed. With Musk declaring support for the right-wing extremist party in my country, I'm officially saying goodbye. Supporting German Nazism is unacceptable and I don't want to be a part of that.

Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/20…

Our crew members Markus Wulftange & frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following SinSinology & Piotr Bazydło's blog. Don’t blacklist, replace BinaryFormatter.

My blog post on some vulns in GFI MailEssentials frycos.github.io/vulns4free/202…

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-de…

First experience with the Samsung Mobile Bug Bounty Program. Takes a looong time to get rewarded and the reward was not as expected…but anyways what stays is a CVE for Samsung (Browser App) 😅 Thanks m1tz for the collab!#bugBounty #hacking nvd.nist.gov/vuln/detail/CV…

We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by Khoa Dinh to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to Markus Wulftange

Stumbled upon your next Firebase target? You might want to take a closer look at this. blog.m1tz.com/posts/2025/07/…

We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy<T> creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec/N…

Ten days left. The warm-up fades. Maultaschen were soft. Bean Beats were dark and burnt. But the beats of #ULMageddon will be brutal! #applyIfYouCan

Playing with HTTP/2 CONNECT blog.flomb.net/posts/http2con…

Did you encounter the Supabase? Might wanna try my newest tooling or have a read about quickwins? There you go: blog.m1tz.com/posts/2025/10/…

CVE-2025-55315, a 9.9 HTTP smuggling vulnerability in dotnet Kestrel webserver disclosed this week, caught my attention this morning due to lack of information, so I put together a very limited analysis of it. turb0.one/pages/Abbrevia… More to be done here for those interested!

Latest ≠ Greatest? A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS from our very own Markus Wulftange who loves converting n-days to 0-days code-white.com/blog/wsus-cve-…