Jack Halon

To wrap up 2022, I'm releasing the final part of my 3-part browser exploitation series on Chrome! In this post, we demonstrate the practical use of the concepts we've learned throughout the series by analyzing and exploiting CVE-2018-17463. Enjoy! jhalon.github.io/chrome-browser…

🫡 We’re back. Today, we’re publishing vulnerabilities we discovered, disclosed, and chained to achieve pre-auth RCE against Progress ShareFile. Enjoy the journey with us, while you sob into your hands 🫠 labs.watchtowr.com/youre-not-supp…

while we’re eating our best writing crayons and using finger paint to finish our latest research, we’ve decided to take this opportunity to share research from the archives with new followers 🙂 happy Friday… for now 🥹 labs.watchtowr.com/we-spent-20-to… (Yes this is not new don’t @ us)

What's new is old, and what's old is new - as is relentlessly proven. Join us in our analysis of CVE-2026-32746, the recent pre-auth RCE in inteutils' Telnetd Speak soon. labs.watchtowr.com/a-32-year-old-…

In 2025, we achieved pre-auth RCE against another solution in a ransomware gang favourite category. Today, we finally click publish. Join us as we walk through a chain of vulnerabilities we identified in BMC’s FootPrints ITSM solution. Enjoy! labs.watchtowr.com/thanks-itsms-t…

We promised we'd be back! Join us on our journey, from repro'ing N-days to stumbling into 0-days in SolarWinds Web Help Desk, eventually achieving pre-auth RCE. This research fuels the watchTowr Platform, our Preemptive Exposure Management technology. labs.watchtowr.com/buy-a-help-des…

We just published our @rapid7 analysis of CVE-2026-1731, a critical command injection affecting BeyondTrust Privileged Remote Access (PRA) & Remote Support (RS). Unauthenticated RCE, with a root cause due to Bash arithmetic evaluation. Analysis/PoC here: attackerkb.com/topics/jNMBccs…

We’re releasing our analysis of ring-1.io, a major game cheat targeted by multiple studios in recent legal actions. We partially deobfuscated several Themida-protected components and document how it hijacks Hyper-V to inject and manipulate game code. back.engineering/blog/04/02/202… github.com/backengineerin…

I wrote a post on creating "scalable research tooling for agent systems" and I'm also releasing the companion MCP server which lets you do autonomous Frida instrumentation on Android. Details in thread 👇📲🪝

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-Red…

Someone knows Bash disgustingly well, and we love it. Here's our analysis of the Ivanti EPMM Pre-Auth RCE vulnerabilities - CVE-2026-1281 & CVE-2026-1340. This research fuels our technology, enabling our clients to accurately determine their exposure. labs.watchtowr.com/someone-knows-…

Early last year @rad9800 shared an idea he'd discussed with @jonasLyk about how to stealthily write to the registry without using the traditional registry APIs EDR watches. The time has come to open source the tool. Hope this helps someone hit their goal! praetorian.com/blog/corruptin…

Earlier this month, we reported a zero-day auth. bypass in the SmarterTools SmarterMail email solution. Someone has reversed the patch (released on 15th Jan) and begun exploiting it in the wild. Read our analysis and please, ASSUME BREACH + PATCH NOW. labs.watchtowr.com/attackers-with…

Blog post: On the Coming Industrialisation of Exploit Generation with LLMs sean.heelan.io/2026/01/18/on-… TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it. Code: github.com/SeanHeelan/ana…

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices. projectzero.google/2026/01/pixel-…

And, we're back - analyzing CVE-2025-52691, a pre-auth RCE in SmarterTools SmarterMail mail server solution. Speak soon (:^)) and enjoy.. labs.watchtowr.com/do-smart-peopl…

@HackingLZ The only offsec people who write off TTPs as dead are the ones that don't actually know what they're doing or how EDR works 🤷🏻‍♂️

Offsec has this fun love affair with writing techniques off as dead because they popped up in some intel report, and don’t want to spend time necromancing things when often times the EDR signatures are highly specific.

A fun little Friday night project porting @AndrewOliveau C# SessionHop code to a BOF. Built off of @tiraniddo session moniker research & @CICADA8Research original IHxHelpPaneServer blog. Enjoy! github.com/jhalon/cSessio…

Today, we’re releasing watchTowr Labs’ @chudyPB’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances. labs.watchtowr.com/soapwn-pwning-…

krebsonsecurity.com/2025/11/meet-r… dear fucking lord. This is absolutely wild

Over the last 12 months, watchTowr Labs uncovered thousands of leaked credentials: cloud keys, AD creds, API tokens, even KYC data - already being abused. Join us on our journey into “innocent” developer tools. labs.watchtowr.com/stop-putting-y…