If you're at #BHUSA, don't miss Michael Stepankin 's presentation mTLS: When Certificate Authentication is Done Wrong at 2:30pm, to learn about some novel attacks on mTLS authentication blackhat.com/us-23/briefing…

Some ideas on how to attack and protect mTLS and certificate authentication in my recent blogpost

#CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution

Video of my PoC for CVE-2023-43641: out-of-bounds array access in libcue. libcue is used by tracker-miners, which automatically scans new files in ~/Downloads, so the bug is triggered by downloading a file.

In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox: github.blog/2023-10-17-get…

Discover the latest insights from our GitHub Security Lab team’s audit on Home Assistant security! 🛡️ github.blog/2023-11-30-sec… #CodeReview

The SSRF/auth bypass affecting Ivanti Pulse Connect Secure (CVE-2024-21893), is a great example of what can be achieved with a fully blind SSRF vulnerability (RCE). Read the Assetnote blog here which includes a reliable payload and generation steps: assetnote.io/resources/rese…

In this post I'll use CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported last November to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled. github.blog/2024-03-18-gai…

The first part of the blog series: #Iconv, set the charset to RCE. We'll use #PHP filters and #CVE-2024-2961 to get a very stable code execution exploit from a file read primitive. #cnext

🚨 New Blog Alert! 🚨 Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL. 🔗 Read the full post: github.blog/2024-06-20-exe… Stay safe and code responsibly! 🛡️💻

We take pet’s security seriously!

Time to retire some content! JNDI Injection Remote Code Execution via Path Manipulation in MemoryUserDatabaseFactory: srcincite.io/blog/2024/07/2…

Kafka UI can be a juicy target for bug hunters, here is why: github.blog/2024-07-22-3-w…

So happy to had the chance to present for second time at #BlackHat USA! I’m already receiving a lot of messages from people using these techniques to get some nice bounties! If you want to learn more about cache exploitation, the research is available at portswigger.net/research/gotta…

Just submitted a CFP to Ekoparty | Hacking everything where I want to talk about breaking Maven repository managers. This is the one of the craziest and fruitful research projects I've done in my career.

Hyped to speak at Ekoparty | Hacking everything in November!

The industry is ablaze w speculation around yesterday's publicly disclosed Veeam Software Backup & Replication RCE vulnerabilities (CVE-2025-23120). We reported these vulnerabilities to Veeam in early February, tracked as WT-2025-0014 and WT-2025-0015. labs.watchtowr.com/by-executive-o…

The curious case of exploiting locally running web app securitylab.github.com/advisories/GHS…