In another great body of research from Ryan Emmons, this disclosure chains 3 new vulns in SonicWall's SMA 100 appliances to go from a low privileged account to full RCE as root!! Awesome work as always 🔥🔥🔥

At #Pwn2Own Ireland 2024, we successfully targeted the SOHO Smashup category. 🖨️ Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution. Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2ow…

A new Rapid7 Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton 🔥 Affecting the Yii framework, this analysis details the root cause and how it can be leveraged for RCE via a dirty file write to a log file: attackerkb.com/topics/U2Ddokj…

Needed Reflective DLL Injection for Windows on ARM64 for a project, but public examples were nowhere to be found. So, here you go. My PoC adapts Stephen Fewer's classic, detailing TEB/PEB access via x18 for ARM64. Hopefully useful for red team ops & offensive security

What does it take to hack a Sonos Era 300 for Pwn2Own? Take a look at our process of adapting existing research, establishing a foothold, and exploiting media parsers for unauthenticated RCE over the network🔥👇 blog.ret2.io/2025/06/11/pwn…

Today Rapid7 disclosed two vulns affecting NetScaler Console and NetScaler SDX, found by Senior Security Researcher Calum Hutton! 🎉 Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has

Today Rapid7 is disclosing 8 new printer vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: rapid7.com/blog/post/mult…

Our Metasploit Project auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978) and then validate the creds: github.com/rapid7/metaspl…

BEST day of the week 📰 EC 77 Out NOW! 🎉Binja Giveaway complete - check your email to see if you've won 🎉 Stephen Fewer hacks a printer Billy Ellis continues his CVE-2025-31200 video series Windows tricks from trickster0 + Jobs and MORE 👇 blog.exploits.club/exploits-club-…

Happy Friday! We're ending the week by publishing our analysis of Fortinet's FortiWeb CVE-2025-25257.... labs.watchtowr.com/pre-auth-sql-i…

Blog for ToolShell Disclaimer: The content of this blog is provided for educational and informational purposes only. blog.viettelcybersecurity.com/sharepoint-too… #SharePoint #ToolShell

Check out our analysis of the SharePoint ToolShell vulnerabilities: how the ITW exploit works, how it was patched, and why the initial patches could be easily bypassed securelist.com/toolshell-expl…

Announcing #Pwn2Own Ireland for 2025! We return to the Emerald Isle with our new partner Meta and a $1,000,000 WhatsApp bounty. Yes - one million dollars. Plus new USB attack vectors on phones and more. Check out the details at zerodayinitiative.com/blog/2025/7/30…

New blog post: Exploiting the Synology TC500 at Pwn2Own Ireland 2024 We built a format string exploit for the TC500 smart cam. It didn’t get used, but it made for a fun case study. blog.infosectcbr.com.au/2025/08/01/exp…

1998: Cult of the Dead Cow (cDc) debuted the program Back Orifice at DEF CON 6. The controversial remote system administration tool was written by Sir Dystic. Its successor, Back Orifice 2000 (BO2k) was released a year later at DEF CON 7.

Metasploit Project opened a survey to collect feedback on what is preventing you from using Metasploit in certain contexts. Every input is super appreciated as it can help us prioritize new features (ex. making Meterpreter stealth again 😇) docs.google.com/forms/d/e/1FAI… #metasploit

Phrack turns 40. The digital drop is live. Download it. Archive it. Pass it on. 💾 phrack.org #phrackat40 #phrack72

I've been asked countless times how to learn VR & xdev. The answer is always: "do something you think is cool". It's hard to figure out what to do. Try the PhrackCTF which I've now open-sourced. It's not a contrived CTF - modeled after real vulnerabilities github.com/xforcered/Phra…