Rich Warren

@HaifeiLi Looked at the gh repo and confirmed its bs. Doesn’t contain any of the prototype pollution gadgets, just some semi-convincing garbage

There's an article (https://nefariousplan[.]com/posts/adobe-acrobat-cve-2026-34621-pdf-weaponizer/), as well as a script (https://github[.]com/NULL200OK/cve_2026_34621_advanced), claiming a "pop calc" style PoC for the Adobe Reader CVE-2026-34621 0day vulnerability. It looks legitimate, so I just did a quick test. But it didn't go/reproduce like that claimed.. Can someone confirm? Are these stuff AI-generated and I got AI-slopped? like, wtf?

NSIS 3.12 has been released, which fixes a potential privilege escalation issue: #v3.12" target="_blank" rel="nofollow noopener">nsis.sourceforge.io/Docs/AppendixF… If you read our recent blog post related to NSIS then maybe this might be useful

"You need to be admin to run the installer anyway." A common pushback that misses an entire class of attack. New research from @buffaloverflow on exploiting NSIS installer bugs to escalate from a standard user to SYSTEM in Zscaler Client Connector.

and a message to vendors:

Next, Next, SYSTEM: Exploiting NSIS installer bugs to escalate privileges in Zscaler Client Connector In this blog post I show how patch gaps in Zscaler's bundled NSIS versions led to LPE.. includes PoCs and yara rule to help you find other affected s/w blog.amberwolf.com/blog/2026/apri…

here's my writeup for the latest Netskope LPE this was a fun bypass of CVE-2025-0309, and highlights an interesting cloud-based attack surface :) blog.amberwolf.com/blog/2026/marc…

So nice they patched it thrice

'previewme.doc' looks like some kind of RedTeam exercise by @buffaloverflow CVE-2026-21509 exploit. bazaar.abuse.ch/sample/f0d4430…

@HaifeiLi ODT config that works without auto update :) gist.github.com/rxwx/0b9eadc68…

A quick update for hunting the CVE-2026-21509 0day sample.. Weird (and good) stuff! - my EXPMON system has an existing Indicator Logic specifically detecting "shellexplorer" (the same {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, "shellexplorer" is the progid name) OLE/COM/ActiveX object, which is the key to look for potential CVE-2026-21509 0day! And I have forgotten why I wrote that detection logic in the first place, really..😅 But anyway, if you spot a sample which was detected with such an Indicator on @EXPMON_ , then it could be a very good candidate! See this example pub.expmon.com/analysis/31153…, the Indicator's name is "activex compatibility shellexplorer registry key accessed". Please note that even the sample is not detected ("Undetected"), as long as it's detected w/ such Indicator, it could still be the 0day. You then test in an unpatched env to see what's going on. Please note that you should not connect your testing VM to the Internet because once you connect to the Internet Office will get patched automatically with some server-side configuration which is already deployed according to Microsoft's advisory. Or, you can let me know your submission, I have a VM ready for testing. Happy hunting! :)

@mkolsek @HaifeiLi @EXPMON_ @yorickkoster Yep!

@buffaloverflow @HaifeiLi @EXPMON_ @yorickkoster The Jan 26 update blocks this, right?

With the CLSID "{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}" disclosed, I think it's not very hard to create the sample myself, or someone want to save me time by sending me one? I want to test the @EXPMON_ system.:)

@mkolsek @HaifeiLi @EXPMON_ @yorickkoster this trick still works on Word 2019 (10417.20080). No idea if it's actually the security feature bypass they patched, but this does actually work in preview pane.. so ..🤷‍♂️

@HaifeiLi @EXPMON_ @yorickkoster But CVE-2026-21509 could be a patch bypass for the @yorickkoster's issue. This would warrant an out of band patch if exploited.

A CheckPoint Harmony priv esc that @buffaloverflow and I found last year: blog.amberwolf.com/blog/2026/janu…

@_xpn_ 💯 I felt the same when I saw it earlier. It’s sad to see the monetisation of outrage seep through into the infosec TL, but good to call out this shitty behaviour

@buffaloverflow Winds me up, and I know I’m doing worse by retweeting, but hopefully calling out this BS first time stops any others from thinking it’s a good idea :/

Using a researcher for clout and spreading hate... fucking BOO THESE GUYS! What a shitty and misjudged thing to do! Keep on going Joe, we love your work and talent!

Zero Trust is not a product it is an approach - at the @NCSC we have just released demystifying zero trust which addresses common misconceptions, and provides practical advice on when and how it should be adopted. ncsc.gov.uk/collection/zer…

@cyb3rops Probably an eula violation so you shouldn’t do it, but as a point of interest MS ship a big list of “FriendlyFile” hashes in Defender’s vdm db #threat_begin--threat_end" target="_blank" rel="nofollow noopener">github.com/commial/experi…

1 TB of diverse malware - trivial. 1 TB of truly diverse goodware - now that’s the challenge.

@irsdl Haha thanks 😆 Unfortunately readme\.md was taken but I like your interpretation!

@buffaloverflow I just noticed the domain name. Read/write mighty documents!! Good one 🚒

I made a website that lets you generate VBA macro docs in your browser (using rust+wasm!): vba.rw.md ^just for fun, inb4 "motw kills macros" etc. 😅