t0

I am excited to release the extended version of the sixth article in the Exploiting Reversing Series (ERS). Titled "A Deep Dive Into Exploiting a Minifilter Driver (N-day)" this 293-page deep dive offers a comprehensive roadmap for vulnerability exploitation: exploitreversing.com/2026/02/11/exp… Key updates in this extended edition: [+] Dual Exploit Strategies: Two distinct exploit versions. [+] Exploit ALPC Write Primitive Edition: elevation of privilege of a regular user to SYSTEM. [+] Exploit Parent Process ID Spoofing Edition: elevation of privilege of an administrator to SYSTEM. [+] Solid Reliability: A completely stable and working ALPC write primitive. [+] Optimized Exploit Logic: Significant refinements to the codebase and technical execution for better stability and predictability. For those who have read the original release, whose exploit was working, my strong recommendation is that you adopt this extended edition as definitive. The article guides you through the entire lifecycle of an exploit: from initial reverse engineering and vulnerability analysis to multiple PoC developments and full exploitation. I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback! Enjoy your reading and have an excellent day day.

Don't judge an audiobook by its cover: taking over your Amazon account with a Kindle - @thalium_team blog.thalium.re/posts/dont-jud…

At #Pwn2Own Berlin 2025, a full exploit chain against VMware Workstation was demonstrated via a heap overflow in the PVSCSI controller. Despite Windows 11 LFH mitigations, advanced heap shaping and side-channel techniques enabled a reliable exploit. 🔍 Full technical write-up 👇 synacktiv.com/en/publication…

We're back, baby! This time with 19+ bugs I reported to MediaTek over the past year + PoCs for each one! I'll also tell you a *fun* story about MediaTek's "creative" impact assessment process. They earned a spot on the naughty list this year :) Check it ⬇️

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. github.com/trustedsec/Tit…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Si te gusta el mundo del NFC, o simplemente tienes curiosidad por aprender, prueba la nueva versión del nfc-laboratory github.com/josevcm/nfc-la…

Ever thought your kitchen appliance could harbor a persistent threat? We reverse-engineered the Thermomix TM5 and uncovered vulnerabilities allowing arbitrary code execution, persistence, and secure boot bypass. Discover our step-by-step breakdown! synacktiv.com/en/publication…

Yesterday at #Troopers25, @twillnix and I published some of our research on Bluetooth headphones and earbuds. We found that there is a large number of Airoha-based headphones that can be fully compromised via Bluetooth. insinuator.net/2025/06/airoha…

Exploiting the IKKO Activebuds "AI powered" earbuds blog.mgdproductions.com/ikko-activebud…

The hidden JTAG in your Qualcomm/Snapdragon device’s USB port linaro.org/blog/hidden-jt…

Interested in vulnerabilities in video games? 🎮 @tomtombinary presented critical flaws in Neverwinter Nights Enhanced Edition at #Hexacon, which could allow attackers to take control of players' computers. 🛡️ Check out the full details of these bugs!👇 synacktiv.com/en/publication…

🚀 This week, @us3r777 & @__pierreg kick off our new Whitebox Vulnerability Research training! Students will dive into PHP, Java, and .NET, analyzing & exploiting 1-day vulnerabilities. Let’s get started! 💻🔍

In our latest article, @croco_byte and @SScaum demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks! synacktiv.com/publications/t…

In our latest article, @l4x4 revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at synacktiv.com/publications/l….

We've just updated our training catalog to include the latest additions, including a brand new course on ransomware investigations! Find all the dates and details at synacktiv.com/en/offers/trai…

Très sympa d'enregistrer cet épisode où on a parlé relay kerberos et Red-Team 🥷 merci @mpgn_x64 🙏

In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests! synacktiv.com/publications/a…

Not surprising anyone, @Synacktiv succeeds again. This time, they exploited the Sony XAV-AX8500. They head off to the disclosure room (again) to tell us how they did it. #P2OAuto #Pwn2Own

Confirmed! The @Synacktiv team used a single buffer overflow to exploit the Autel MaxiCharger. They were also able to demonstrate signals being transmitted via the Charging Connector for the add on. This work earns them $35,000 and 6 Master of Pwn points. #P2OAuto #Pwn2Own