I'm getting confused keeping count of them, but we're almost at the double-digit mark! 😅
From: @codewhitesec
https://infosec.exchange/@codewhitesec/114241026482611250

Our crew members @mwulftange & @frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following @SinSinology & @chudypb 's blog. Don’t blacklist - replace BinaryFormatter.

Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) https://apply-if-you-can.com/walkthrough/2023/

Using Telerik Reporting or Report Server? Patch now to fix 3 RCEs @mwulftange found (CVE-2024-8015, CVE-2024-8014, CVE-2024-8048). Telerik vulns have a history of being exploited by threat actors according to #CISA Details at https://code-white.com/public-vulnerability-list/

BeanBeat has been aquired by Kurts Maultaschenfabrikle! You don't know what that means? Head over to https://apply-if-you-can.com to find out in challenges that, without exception, stem from real-world vulns #uncompromisingRealism #finestHacking

Teaching the Old .NET Remoting New Exploitation Tricks – read how @mwulftange developed novel techniques to exploit Apache log4net's hardened .NET Remoting service: https://code-white.com/blog/teaching-the-old-net-remoting-new-exploitation-tricks/

Another product, another deserialization vulnerability, another RCE from @mwulftange: Patch your Telerik Report Server (CVE-2024-6327 & CVE-2024-6096) https://code-white.com/public-vulnerability-list/#unknowntyperesolver-insecure-type-resolution-in-report-server

Today, CODE WHITE turns 10 🥳 Over the past decade, we've hacked our way through 120+ large corporations' defenses, caused headaches for Blue Teams, and disclosed numerous 0days to vendors. From a few motivated hackers in 2014 to an established team of 50+ today, we continuously safeguard enterprise clients with our Security Intelligence Service and are proud to make a difference 💪 #FinestHacking #PWNage

Our second blog post about ASP .NET TemplateParser exploitation is live: @mwulftange unveils how a novel bypass technique can be applied to get RCE in SharePoint Online & On-Premise (CVE-2023-33160)

https://code-white.com/blog/exploiting-asp.net-templateparser-part-2/

It appears Microsoft messed up again and forgot to publish this back in January 2024's Patch Tuesday:

"This CVE was addressed by updates that were released in January 2024, but the CVE was inadvertently omitted from the January 2024 Security Updates."

@mwulftange of @codewhitesec publicly disclosed the vulnerability details of "Leaking ObjRefs to Exploit HTTP .NET Remoting" on 27 February 2024: 🔗 https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/

This concludes the case. No CVE was assigned, nor was there any acknowledgment."

well @mwulftange, CVE-2024-29059 was assigned and you were given credit. 👍

The same Proof of Concept was also provided at GitHub: https://github.com/codewhitesec/HttpRemotingObjRefLeak

#CVE_2024_29059 #vulnerability #MSRC #Microsoft

Still interested in leaking & exploiting ObjRefs in .NET Remoting? Have fun with our test bench, example p(l)ayloads and exploit script over at https://github.com/codewhitesec/HttpRemotingObjRefLeak

The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/

We are nominated again for @PortSwigger's "Top 10 Web Hacking Techniques" and we're even in with two entries for 2023:

➡️ Java Exploitation Restrictions in Modern JDK Times
➡️ JMX Exploitation Revisited

✍️ Vote now: https://portswigger.net/polls/top-10-web-hacking-techniques-2023

Exploiting ASP.NET TemplateParser to get RCE in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160) by @mwulftange in two parts: part 1 at https://code-white.com/blog/exploiting-asp.net-templateparser-part-1/ is live now and part 2 will follow in a few days...stay tuned!

The return of Kurts Maultaschenfabrikle: have fun with our all new applicants challenge at https://apply-if-you-can.com #CTF

Even though JMX exploitation is generally perceived to be comprehensively understood, we were able to find new universal exploitation techniques & one of them allows to gain instant Remote Code Execution using TemplatesImpl. Read all about @mwulftange's and @qtc's recent discoveries, which have already been implemented in #beanshooter: https://codewhitesec.blogspot.com/2023/03/jmx-exploitation-revisited.html

@GossiTheDog I used Base64 encoded output just to make sure special characters such as the umlaut in Süp3rS3cr3tP4$$w0rd! don't get mangled or lost when printing to console.