Manu

Lenovo released all patches for the #Lenovo #Vantage #vulnerabilities, which we've reported earlier this year. Our blog now includes the full write‑ups for CVE-2025-13154, CVE-2026-1715, CVE-2026-1716, and CVE-2026-1717. 🔗 cyllective.com/blog/posts/len…

There are probably more vulns to be found, especially in the parts that I did not look at. Passing the torch to all the other researcherz.

First research in a while! Here's my brain dump on reverse-engineering and auditing Lenovo Vantage. In total, I found four (4) vulns. Check out the post and my custom tooling if you're interested. mkiesel.ch/posts/lenovo-v…

🚀 New blog post: How to Audit Plugin Ecosystems 🔧🔥 Our reusable 4‑step method helped us navigate 600+ Nextcloud/ownCloud plugins & find some vulns. cyllective.com/blog/posts/how… #CyberSecurity #AppSec #Nextcloud #ownCloud #infosec #pentest #SAST

Nobody asked for them, but here are my uBlock rules to slim down Twitter/X, Bluesky, and Mastodon. They disable fancy features and make it so that basically there are only the options to post and to view your "following" feed. No more distractions! gist.github.com/rtfmkiesel/1b7…

The #Insomnihack 2026 talks lineup are LIVE! Top-tier speakers. Real-world security research. Check out the full programme and register now 👇 ow.ly/KFuO50Y5ncy Seats are limited so don’t miss it! #Cybersecurity #Infosec #INSO2026 #CyberConferences

Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto

We have a collision! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) earned $25,000 USD and 4 Master of Pwn points with the Charging Connector Protocol/Signal Manipulation add‑on against the Grizzl‑E Smart 40A, chaining an authentication bypass (CWE‑306) to remote code execution via CWE‑494. #Pwn2Own #P2OAuto

The final stage would not have been possible without John Ostrowski from @compasssecurity thanks for the Swiss infosec collaboration! 🫕🤝

🚨 New blog post! Read about CVE-2025-13154, a privilege-escalation vulnerability in a Lenovo Vantage add-in called SmartPerformance. cyllective.com/blog/posts/len… #windows #cve #infosec #pentest

🇨🇭With El Tony's new Mate Zero and Coop's New Prix Garantie Mate, matelab is now at 60 mate-based beverages 🧉 matelab.ch

@_nnxxrr_ yea that explains it, know the feeling here's an sql injection with AV local -.-

@rtfmkiesel hackerone analyst -> and accepted by elastic internal staff

got my first CVE CVE-2026-0543 cybersecuritynews.com/elastic-patche…

Next @The_Cyber_News, why do you call it "Arbitrary File Theft"? It's a LFI. Please use _somewhat_ industry standard terms. cybersecuritynews.com/elastic-patche…

Who @elastic rated #CVE-2026-0532? Were you drunk? > This requires an attacker to have authenticated access with privileges sufficient... Yet in the CVSS string privileges required == None This drops it from a 8.6 to a 6.8 if you consider "modify connectors" high privileges.

@IntCyberDigest Have you all drunk too much booze over the holiday? The patch/CVE came out ±5 days before the PoC. If your DB is publicly reachable and does not even have an IP filter (lol), you should have patched it by then. Fix your vuln feeds before blaming the PoC author.

‼️ Meet the guy almost everyone hates for releasing a PoC for a MongoDB unauthenticated memory leak exploit dubbed Mongobleed the day after Christmas. This is allegedly the vulnerability used to breach Ubisoft, which led to the R6 chaos.