ImageIO, the infamous iOS Zero Click Attack Vector. r00tkitsmm.github.io/fuzzing/2024/0…

Still interested in exploiting IPC memory corruptions on Apple devices? Try this one: CVE-2024-27801, UAF in the low level implementation of NSXPC that has been present since the initial release of NSXPC (over decade ago). POC: github.com/wangtielei/POC…

A few months back we submitted two exploit chains to the first ever Pwn2Own Automotive competition. We just released a blogpost (part 1 of 2) detailing the bugs we abused to remotely exploit the Phoenix CHARX industrial EV charger and win $60,000 🔥🔥 blog.ret2.io/2024/07/17/pwn…

Turns out you can enumerate individual clients connected to Endpoint Security by looking at the I/O Registry's `IOService` plane under: `IOService:/IOResources/EndpointSecurityDriver`. You can use: `ioreg -r -c EndpointSecurityExternalClient` swiftly-detecting.notion.site/Listing-Connec…

NB, Dr Peng.

v-v.space/2024/08/19/CVE… Check my blog about Windows secure channel RCE analysis, though MSRC thought it's a DOS. By the way, I'm not the finder. Share for studying

I've published a new blog post detailing how to write an iOS kernel exploit for PhysPuppet from scratch. Enjoy! alfiecg.uk/2024/09/24/Ker…

New writeup: CVE-2025-24104 – Apple’s bug allowed arbitrary file reads outside the sandbox. While iOS 18.3 added a mitigation, it doesn’t fully fix the issue. I even bypassed it since my recommended fix wasn’t followed. Read more 👉 github.com/ifpdz/CVE-2025… #AppleSecurity

ICYMI, #Pwn2Own will have an AI category this year! Looks like our team has already pwned 2 of these targets👀 Ollama CVE-2024-37032: wiz.io/blog/probllama… NVIDIA Container Toolkit CVE-2024-0132: wiz.io/blog/nvidia-ai… Maybe we should look at the rest of the targets too😎

I've just published a new blog post detailing how I developed a deterministic kernel exploit for iOS. Enjoy! alfiecg.uk/2025/03/01/Tri…

My writeup of the 2023 NSO in-the-wild iOS zero-click BLASTDOOR webp exploit: Blasting Past Webp - googleprojectzero.blogspot.com/2025/03/blasti…

new code, new bug : 1. A new DFG node, `NewRegExpUntyped` was added to improve `new RegExp(...)` optimizations with better type info. github.com/WebKit/WebKit/… 2. But incorrect side effect modeling (missing `clobberWorld`) led to a quick fix just 2 days later.

0-click RCE on Tesla Model 3 through TPMS Sensors : synacktiv.com/sites/default/… credits Mastho vdehors

Self QA：CVE-2025-24203, proteas.github.io/ios/2025/05/21…

We dissect a DFG compiler bug we discovered in Safari/WebKit. This post covers root cause, impact, and technical analysis: blog.exodusintel.com/2025/08/04/oop… #WebKit #VulnerabilityResearch #ExploitDev #Safari #CyberSecurity #ExodusIntel

Brief info and POC for this week's Apple 0click iOS 18.6.1 RCE bug CVE-2025-43300 github.com/b1n4r1b01/n-da…

After wrestling with a mess of decompiled pseudocode, we wrote a short analysis of CVE-2025-43300. In a twist of irony, we also show how we stumbled on another DNG parsing bug that was supposed to be fixed a few months ago. github.com/DarkNavySecuri…

Awesome paper about latest iOS security mitigations : SPTM, TXM, and Exclaves arxiv.org/pdf/2510.09272

It's been just over a year since CVE-2024-54529 was patched. To celebrate, I'm open-sourcing my full PoC exploit for this CoreAudio type confusion vulnerability 🔊 The code is right here! Enjoy: github.com/googleprojectz…

Crazy…Apple is now using my SSA graph viewer tool for JSC. I’m baffled that this works so well for other compilers besides SpiderMonkey. I guess “good compiler graphs” was lower-hanging fruit than I thought. github.com/WebKit/WebKit/…