Ruben Labs

New XSS2RCE in Azure Windows Admin Center! I am happy to share our latest findings, CVE-2026-32196, a critical unauthenticated vulnerability allowing one-click remote code execution. An attacker can craft a malicious legitimate gateway URL that, when visited by a privileged Azure admin, triggers a response-based XSS in WAC’s error handling. This results in JavaScript execution under the WAC origin, which translates to arbitrary PowerShell execution on every managed server the victim has access to (no credentials required). On on-premises deployments, the same chain allows theft of Azure access and refresh tokens from local storage, enabling full tenant impersonation and lateral movement into EntraID and Azure. Full blog: cymulate.com/blog/cve-2026-…

That is exactly the Microsoft @msftsecresponse silent patch, which isn’t enough, and without a proper CVE. Instead of a single « open photos » prompt they added another one asking if the server is trusted. I am now working on reporting to @googlechrome @firefox and @brave to understand what steps they will take to patch it, since when a browser allows such behaviours it exposes users to a CWE-939 (Improper Authorization in Handler for Custom URL Scheme) and a CWE-668 (exposure of resources to the wrong sphere) vulnerabilities. I will write a new blog post to publish their response.

@RubenLabs @HackingLZ I have been able to get this to work if I make an explicit connection to the SMB server prior to opening the web page redirect. Once a successful prior connection has been established it works as shown in the repo, but I have not been able to get it working as a oneshot

I found a new one click NTLM leakage vulnerability / technique from a browser. A web server can redirect a client to a ms-photos URI handler followed by a fileName parameter. If the parameter value is a UNC path instead of a local path, photos.exe will leak the client’s NTLMv2-SSP hash, enabling relay attacks or offline cracking. Leaking hashes from URI handlers is not new, but combined with a browser redirection, it allows moving from website infection to capturing NTLMv2-SSP hashes (supply chain attack). No LLMNR is required, and except if the firewall blocks outbound SMB queries, the hash will leak to public facing SMB servers. The vulnerability can be combined in a supply-chain attack, by infecting public facing applications. MSRC will not release a patch for this issue. Find more details with a POC here: github.com/rubenformation…

@RubenLabs FYI just did a Weekly Purple Team episode on your NTLMv2 zero day. youtu.be/e-lM_vP6HwQ Check it out!

@BriPwn Excellent video explaining the vulnerability! Nice work!

Read my new blog about blockchain EtherHiding here

Is Web3 the new C2? Read my blog about EtherHiding, an emerging method that abuses public blockchains as malware infrastructures by embedding payloads into smart contracts. It provides attackers with decentralized payloads evading takedown & defense. cymulate.com/blog/simulatin…

@pfiatde You are welcome! I’ll try it soon on a VPS and post an update here. I think that it’ll work anyway.

@RubenLabs Thanks for the reference to the blogpost on the github! Nice finding. Did you try this outside the private network? The behavior might differ here.

@davidnaliay Thank you! Interesting try, but it contradicts the term “local link” in LLMNR. The RFC 4695 itself (see 2.6/b) says: “If an IPv4 address is returned, it MUST be reachable through the link over which LLMNR is used.”

On intranet also, Microsoft Word remote templates containing macros are blocked by MOTW. I found a way to bypass it using LLMNR poisoning. Not my greatest finding but useful for phishing assessment. MSRC didn’t recognise it. Details and POC: github.com/rubenformation…

Microsoft patch for our last report - CVE-2025-50154 completely failed and the vulnerability remained unfixed. Thanks to @0patch for the quick finding and report! We reported this serious oversight, now tracked as CVE-2025-59214. Full details: cymulate.com/blog/ntlm-leak…

@lapinousexy Yeah, but they thought they fixed it with CVE-2025-24054, but in fact they didn’t! That’s exactly why I reported it. Thank you for the precision!

@RubenLabs Ok I see thanks, that's wild from MS to fix something that existed for so long (CVE-2025-24054), I guess it's better late than never

Find the POC for my new finding, CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch. github.com/rubenformation…

@lapinousexy Yes it is precisely! With CVE-2025-24054 patch, I thought that what you sent shouldn’t work anymore. But in fact it does. The reason is that the patch of Microsoft didn’t focus on target path value but on icon path value, blocking only there UNC paths.

@RubenLabs Hey, nice article, I was wondering if the CVE-2025-24054 is similar to the LNK technique mentionned here: #shortcut-files-scf-lnk-url" target="_blank" rel="nofollow noopener">thehacker.recipes/ad/movement/mi…

You didn’t click, but your password challenge is leaked. I’m excited to share my latest research: CVE-2025-50154, a high severity NTLM hash disclosure vulnerability in the explorer.exe process, exploitable without any user interaction. cymulate.com/blog/zero-clic…

@Dinosn Thank you for sharing my findings @Dinosn ! Read more about it in my blog

Experts Uncover Four New Privilege Escalation Flaws in Windows Task Scheduler thehackernews.com/2025/04/expert…

@fortraofficial impacket-atexec script can be updated to run commands and overflow the whole content of the 4698 "task created" log, making command and arguments logs unwritable. Also, logs and task metadata poisoning work remotely using the same method!

Happy to share my newly discovered vulnerabilities on Microsoft Windows! - Credentials based UAC bypass, allowing to bypass the highest level - Task Metadata Poisoning - Task Event Log Buffer Overflow - Unprivileged Security Logs Saturation cymulate.com/blog/task-sche…

🔥 One task away from total takeover? 4 local privilege escalation flaws found in schtasks.exe—a core part of Windows Task Scheduler. Attackers can: • Bypass UAC • Run SYSTEM-level commands • Erase security logs • Impersonate admins using known passwords. Fix not yet available. 🔗 Full story → thehackernews.com/2025/04/expert…