And domain-level RCE in Veeam B&R fixed today (CVE-2025-23121). My first (and hopefully not last) CVE, where I'm credited together with @codewhitesec 😎

https://www.veeam.com/kb4743

My Sitecore CMS pre-auth RCE chain blog is public now. Enjoy 🫡

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform

Certipy 5 (@ly4k_), MobileIron pwnage (@chudypb), new CRTO pricing (@_ZeroPointSec), Volatility 3 parity (@volatility), and more!

https://blog.badsectorlabs.com/last-week-in-security-lwis-2025-05-19.html

I did my first 1daying ride with my friend Sonny. Enjoy🫡

Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.

https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123

@swapgs That's a tough question, but I think LLMs?

Got inspired by RE with LLMs stuff. It's very cool, but feels risky. RE requires a lot of precision and you are not able to evaluate AI precision when asking to RE e.g. entire binary.

Now, imagine that you are working on this reversed code and you are not finding bugs, because the code was improperly reversed. Looks like a very possible scenario.

This is only an example, but I'm in general having a lot of trust issues here 😅

Some serious question about a larg-scale usage of AI in Vuln Research.

Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.

If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.

@codewhitesec @mwulftange @frycos @SinSinology 😉

Next.js auth bypass (@zhero___ + @inzo____), ServiceNow for red teamers (@__invictus_), Veeam RCE - again! (@chudypb), ArgFuscator (@wietze), and more!

https://blog.badsectorlabs.com/last-week-in-security-lwis-2025-03-24.html

It seems that our Veeam CVE-2025-23120 post is live.

I would never do this research without @SinSinology He insisted a lot, thx man. 😅

If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple at this point.

https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎

"In today's post, we dive into Kentico's Xperience CMS - highlighting multiple Authentication Bypass vulns chained with a post-auth RCE..."

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

Great news: I got invited to Microsoft Zero Day Quest onsite event.

Bad news: It overlaps with my kid's estimated due date 😅

Happy hacking to all of you who's planning to go to Redmond 😎

@swapgs That's terrible. Are there any alternatives now? Maybe we should all become CNA? 🤣

How long does it take for MITRE to reserve a CVE now?

I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔

I had a blast during my first month at watchTowr :)

I'm happy to be on the Top Ten (New) Web Hacking Techniques of 2024 nominations list second year in the row!

This time, it's with "Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting" research and some nice RCE chains on Exchange:)

chudypb.github.io/exchange-powershell.html

Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Cast your vote here: https://portswigger.net/polls/top-10-web-hacking-techniques-2024

I'm happy to announce that I have recently joined watchTowr as a Principal Vulnerability Researcher. The break is over, it's time to do some new research 🫡

Does anyone use 34" 21:9 screen?

Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔

After amazing (almost) 3 years, this is my last day at @thezdi. Huge thanks to the entire team, it was an honour to work with you folks!

New challenges and adventures are starting in 2025 :)

PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.