Hazard Researchers

DevOps City Your DevOps infrastructure is a city. Everything runs smooth until an incident hits. You're the mayor. Find what broke, fix it. This round: CI/CD pipeline security. #scenario=devops-pipeline" target="_blank" rel="nofollow noopener">hadess.io/games/devops-c… #game #devops #cicd #devsecops

The 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝗻𝗮𝗹𝘆𝘀𝘁 career path requires more than 30 technical skills and more than 5 soft skills. Launch Your Tech Career Today → career.hadess.io #cybersecurity #infosec #securityanalyst #job #SOC #threatdetection #cybersecuritycareers

Hacking Renesas chips for cars: three glitching resources to boost your success. 🚙⚡🫨🔬👨🏻‍💻 More details on: LinkedIn: linkedin.com/posts/dlaskov_… Substack: it4sec.substack.com/p/hacking-rene…

⚡ Potentially Critical RCE Vulnerability in OpenSSL - CVE-2025-15467 ⚡ The JFrog Security Research team is tracking a newly disclosed OpenSSL stack overflow vulnerability rated as High by OpenSSL, that may lead to remote code execution (RCE). This vulnerability was patched with other 11 moderate and low severity vulnerabilities. The stack overflow can be triggered by sending a crafted CMS AuthEnvelopedData message with malicious AEAD parameters. While no official CVSS score has been assigned yet, based on its characteristics, we assess it may be rated at least High or even Critical by NVD. Our team reproduced the issue by invoking the CMS_decrypt API directly, confirming that OpenSSL applications parsing untrusted CMS data via this API are vulnerable. Exploitation is also possible when using the `openssl cms` CLI to decrypt untrusted input. A contextual analysis scanner for this CVE is now available for JFrog Advanced Security customers:

[453094710][reward: $250000] Out-of-bound read in the jmp table of ActiveMediaSessionController leads to sandbox escape. crbug.com/453094710

We (@akamai_research) have seen more than 500K of these attack patterns in the past week with the most popular payload being:

Hypervisors for Memory Introspection and Reverse Engineering by @memn0ps secret.club/2025/06/02/hyp…

🔀 Reversing for dummies - x86 assembly and C code (Beginner/ADHD friendly) Blog: 0x44.cc/reversing/2021… #infosec

@codewhitesec Cool 😛 🔥

Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/20…

@mqst_ 🤠

➰ Exploit Development: Fuzzing with AFL++ to Find Zero-Day Vulnerabilities Blog: hackers-arise.com/post/exploit-d… #infosec

I wrote a C2 agent in pure PIC C (minus one constexpr). I'd love to hear any suggestions on how to handle memory management better or reduce the output size. Cheers! github.com/MythicAgents/H…

Our talk at #BHEU is done! Hope you all enjoyed it. 😉 A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides! Huge thanks to @BlackHatEvents and my awesome co-presenter @_splitline_! 🐈‍

CVE-2024-23780 CVE-2024-23780 Exploit for Netbox This script exploits CVE-2024-23780, which allows remote code execution (RCE) on Netbox instances. Usage python netbox_exploit.py --url --username --password vulmon.com/vulnerabilityd…

Unveiling CVE-2024-23780: Explore the Impact and Implications on NetBox's Security Landscape. hazardlab.io/netbox-cve-202… POC: github.com/HazardLab-IO/C… Fofa: en.fofa.info/result?qbase64… #netbox #security #network #devops #infrastructure #cve #exploit

#CVE-2023-50438 Manageengine AdAudit Plus #RCE

Hazard Lab delves into the intricate vulnerabilities of ManageEngine ADAudit Plus with their comprehensive exploration of CVE-2023-50438. hazardlab.io/manageengine-a… #adaudit #manageengine #activedirectory #cve #vulnerability #asm