Principal Vulnerability Researcher at watchTowr | Previously: Zero Day Initiative | @chudypb@infosec.exchange

My OffensiveCon 2024 talk about Exchange PowerShell Remoting is available. Includes a chain of 3 vulns to RCE (file write + file read + DLL load). piped.video/AxNO2iA2fAg?si=WWPS…
3
102
300
39,149
I gave myself a Christmas gift 🎅
7
20
338
62,193
Recording of my Hexacon talk "Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization" is available! Talk: piped.video/_CJmUh0_uOM?si=81To… White paper: github.com/thezdi/presentati… I hope you will find it useful 🙂
98
302
35,482
I'm happy to announce that I have recently joined @watchtowrcyber as a Principal Vulnerability Researcher. The break is over, it's time to do some new research 🫡
25
7
224
20,919
Blog about my @PwnieAwards nominated Exchange RCE gadget chain dropped: 1) File Write to drop DLL to unknown directory and leak this path to log file. 2) File Read to leak write location from the log file. 3) Local DLL loading gadget -> RCE It was a fun process 🥲
In part 3 of his series on exploiting #Exchange #Powershell after ProxyNotShell, ZDI researcher @chudyPB chains 3 bugs that lead to RCE, mainly by abusing the single-argument constructor conversions. Read the details at zerodayinitiative.com/blog/2…
2
41
166
43,002
I had a blast during my first month at @watchtowrcyber :)
8
9
164
13,492
My WarCon slides about Ivanti Avalanche are public! I tried to do some mapping of the attack-surface, show the new auth mechanism and present some research ideas (things I didn't try). It also shows my first-ever fuzzing and memory corruption experience😆 github.com/thezdi/presentati…
1
42
147
10,792
My Exchange RCE chain presented during @offensive_con has been nominated for the Best RCE Pwnie. Quite a nice surprise 🙂
🚨We are very pleased to announce the nominees for the 2024 Pwnie Awards! Be sure to tag your friends and catch us at Def Con! 🚨 🥳🏇🥳🏇🥳🏇🥳🏇🥳🏇🥳🏇🥳🏇🥳🏇 docs.google.com/document/d/1…
14
10
143
12,590
I am excited to announce my new position - Vulnerability Researcher at Trend Micro Zero Day Initiative @thezdi. I can't wait to have my hands busy with tons of research.😎
6
2
143
After amazing (almost) 3 years, this is my last day at @thezdi. Huge thanks to the entire team, it was an honour to work with you folks! New challenges and adventures are starting in 2025 :) PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.
14
129
6,480
My second Exchange RCE got patched! I hope to disclose some details in a near future. msrc.microsoft.com/update-gu…
4
18
120
18,844
I'm shocked - my research was ranked as 2nd best web research of 2023. Thanks for the votes and congratulations to the rest of researchers!
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2023! portswigger.net/research/top…
14
3
120
16,187
My bypass of security controls in Apache Batik. Leads to the SSRF and even RCE during the SVG parsing. Payloads included. Reason: Java jar:// URI returns null host🙃
Use #Apache #Batik? Check out this latest blog from @chudyPB showing how versions below 1.15 and 1.16 can be abused for SSRF or RCE. zerodayinitiative.com/blog/2…
1
23
111
Btw, I described my SharePoint CVE-2024-38018 at a PL conference last year, and they've recently uploaded it. I guess you don't know Polish, but slides are in English 😅 RCE part starts at 30:30 piped.video/a2_onBMte8I?si=oFFH…
3
22
116
36,557
Research is fun. One month ago, I thought that I'll never again make a research as good as my .NET deserialization one. Here I am today, writing a new whitepaper. You never know the day 😅
2
1
112
6,095
My SharePoint XXE vuln (CVE-2024-30043) got patched. I plan to blog about it, as it's the most interesting XXE that I've ever found. BTW, more of my stuff should appear in upcoming months. :) Meanwhile, you can check out a nice summary of interesting vulns by @dustin_childs.
It's a smaller #PatchTuesday release, but there's an 0-day in Windows DWM Core Library to cover. Join @dustin_childs as he covers the full release and points out which vendors patched their #Pwn2Own bugs - and which didn't. zerodayinitiative.com/blog/2…
4
19
112
17,518
My analysis of amazing Exchange RCE (CVE-2022-41082). Spoiler alert: there will be part 2 ;)
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend - @chudyPB provides the details of CVE-2022-41040 and -41082. These were the #Exchange bugs used in active attacks and recently patched. zerodayinitiative.com/blog/2…
36
111
My Sitecore CMS pre-auth RCE chain blog is public now. Enjoy 🫡
With the help of the Sesame Street gang, watchTowr Labs is back - with a pre-auth RCE chain against Sitecore Experience Platform that we discovered and reported in February this year. Enjoy..... labs.watchtowr.com/is-b-for-…
6
20
108
12,861
My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎
Welcome to @chudyPB in his debut watchTowr Labs post since joining the phorce in January (of many to come..)! In today's post, we dive into Kentico's Xperience CMS - highlighting multiple Authentication Bypass vulns chained with a post-auth RCE... labs.watchtowr.com/bypassing…
10
17
105
17,512
It seems that my Exchange RCE was fixed - CVE-2023-21529. It was a bypass for the CVE-2022-41082 patch. Fun fact: I found this bypass before the patch 😆
2
7
102
21,590
My SharePoint RCE got fixed: CVE-2024-38018. Site Member privs should be enough to exploit. I also found a DoS vuln that got patched today: CVE-2024-43466 msrc.microsoft.com/update-gu…
It's a pumpkin-spiced Patch Tuesday, with flavorful updates from #Adobe & #Microsoft. According to our count, there are 5 0-days to cover. @dustin_childs breaks down the release and points out a few patches that might cause some headaches. zerodayinitiative.com/blog/2…
4
16
94
16,088
I've passed my #OSCP exam. 😃It was a real fun. PWK lab from @offsectraining is definitely worth your time. If you haven't already tried it, you should do it in the near future. Cheers 💪
6
2
92
My SharePoint XXE blog is live. URL scheme confusion allowed to bypass security measures delivered by XmlSecureResolver :)
CVE-2024-30043: @chudyPB details this #SharePoint XXE he discovered. He calls it one of the craziest XXEs he has ever seen, both in terms of vuln discovery and the method of triggering. He shows how it can be used for info disclosure & NTLM relaying. zerodayinitiative.com/blog/2…
2
27
94
43,190
I'll soon talk about 2 of my recent SharePoint vulns, during one of the top Polish conferences. Details of CVE-2024-38018 RCE included. Slides in English, talk in Polish. Don't worry though, I also plan to blog about this RCE :)
❓"Jak to możliwe, że znajdujesz podatności w tak dojrzałych produktach jak na przykład Microsoft Exchange czy SharePoint?" Piotr Bazydło omówi dwie znalezione przez siebie podatności w Microsoft SharePoint oraz tok myślenia podczas ich szukania. Więcej🔜 omhconf.pl
3
16
93
18,786
Writeup of my SharePoint RCE: CVE-2024-38018. ZDI decided not to publish the blog and I didn't find time to write a new one 😅 Enjoy @_l0gg analysis!
While waiting for the Pwn2Own chain, you might want to read this. Disclaimer: This is a bug I discovered by accident, and already been resolved. I’m not sure which CVE or patch this maps to. If you know any information, please feel free to leave a comment blog.viettelcybersecurity.co…
2
15
90
17,006
5 next Exchange vulns patched, including 3 RCEs, 1 File Read and 1 NTLM Relaying. msrc.microsoft.com/update-gu…
1
19
83
11,669
I found SSRFs in Exchange OWA, which are not going to be fixed in the near future (or may not be fixed at all). One of them allows to retrieve response content through the email attachments🙃
Replying to @TheZDIBugs
Additional information about this and other #SSRF can be found in a new blog from @chudyPB. Check out how to get responses from attachments in OWA at zerodayinitiative.com/blog/2… #0day
4
24
80
22,461
Nobody has ever disrespected my work as much as MSRC did.
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s 100 Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report. Please join us in celebrating this year’s MVRs, including our top 10: 1. 🥇 Yuki Chen @guhe120 2. 🥈Wei @XiaoWei___ 3. 🥉VictorV @vv474172261 4. Suresh Chelladurai 5. Dhiral Patel @dhiralpatel94 6. Erik Donker @kire_devs_hacks 7. Nutesh Surana @_niteshsurana working with Trend Micro Zero Day Initiative @thezdi 8. Anonymous 9. Tzah Pahima @TzahPahima 10. wkai See the full list of this year’s 100 MVRs, in addition to our Azure, Office, Windows, and Dynamics 365 leaderboards: msrc.microsoft.com/blog/2024… #bugbounty #infosec
4
5
81
24,261
I'll finally share details about my Exchange PowerShell deserialization research. I'm happy to do this during @offensive_con!
Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting by @chudyPB offensivecon.org/speakers/20…
3
16
73
13,960
Get a full-win at Pwn2Own: ✅️
Confirmed! @chudyPB used a deserialization bug to exploit Inductive Automation Ignition and execute his code on the system. He earns $20,000 and 20 Master of Pwn points. #Pwn2Own #P2OMiami
2
3
76
Thx all for joining, I hope you liked it. Whitepaper and ysoserial .net PR drop on Monday🙂
Now on stage: Exploiting Hardened .NET Deserialization by @chudyPB #HEXACON2023
4
5
71
12,811
Check out my first ZDI blog post. It includes the XStream Deserialization and the Race Condition leading to Auth Bypass :)
Riding the inforail to exploit #Ivanti Avalanche: @chudyPB provides details on several bugs he found in the popular MDM tool. He goes in-depth on root cause, including a video of one of the bugs in action. Read all about it at zerodayinitiative.com/blog/2…
2
15
71
My last 3 vulns in Exchange got patched: 1x File Read/NTLM Relaying 2x NTLM Relaying CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035. I'm officially done with the Exchange for a while 🙃
2
5
70
8,963
My 2nd Sitecore blog is live. This time, it's a Pre-Auth HTML Cache Poisoning (fun reflection) + Post-Auth RCE 🫡
It’s Friday, and we’re back - completing our 2 part series detailing the vulnerabilities we discovered in the Sitecore Experience Platform CMS 🫡 labs.watchtowr.com/cache-me-…
1
10
73
10,048
I'm happy to be on the nominations list second year in the row! This time, it's with "Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting" research and some nice RCE chains on Exchange:) chudypb.github.io/exchange-p…
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10…
1
10
64
15,996
As promised, Exchange PowerShell research is getting published in a form of blog posts. Part 1/4 describes two RCEs: MultiValuedProperty internal deserialization + a chain with Command gadget.
In the 1st of a 4 part series, @chudyPB details his research into exploiting #Microsoft #Exchange after ProxyNotShell was patched. Today's post covers CVE-2023-21529: abuse of the allowed MultiValuedProperty class for RCE. Check it out at zerodayinitiative.com/blog/2…
15
62
9,888
Writeup of my Pwn2Own Miami 2022 Inductive Automation Ignition vuln. It's a custom deserialization in Java, so quite a fun one 🙂
With #Pwn2Own Miami less than a week away, @chudyPB details how he exploited #Inductive Automation #Ignition at last year's event with a custom deserialization issue. His detailed write-up includes root cause analysis and a video demo. Check it out at zerodayinitiative.com/blog/2…
1
15
61
14,720
It seems that our Veeam CVE-2025-23120 post is live. I would never do this research without @SinSinology. He insisted a lot, thx man. 😅 If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple at this point.
The industry is ablaze w speculation around yesterday's publicly disclosed Veeam Software Backup & Replication RCE vulnerabilities (CVE-2025-23120). We reported these vulnerabilities to Veeam in early February, tracked as WT-2025-0014 and WT-2025-0015. labs.watchtowr.com/by-execut…
3
5
61
8,217
And domain-level RCE in Veeam B&R fixed today (CVE-2025-23121). My first (and hopefully not last) CVE, where I'm credited together with @codewhitesec 😎
Veeam has released patches today - veeam.com/kb4743
1
12
61
6,887
As I've been losing track of things that I've done, I've created a single page that summarizes my last 2 years of research. Maybe you can find something interesting for you here: chudypb.github.io/
2
6
61
5,512
Doing @offensive_con talk was a great experience. Thx for all the feedback and laughs at the Defender slide 😉
2
4
60
8,036
Another Exchange RCE patched: msrc.microsoft.com/update-gu… (advisory says Spoofing instead of RCE, but I hope it'll be corrected soon, CVSS is right). Yes, it was a bypass of CVE-2023-32031. Yes, I plan to present the entire Exchange research in the future:)
1
12
60
9,855
I did my first 1daying ride with my friend Sonny. Enjoy🫡 Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.
Expression payloads meet mayhem in this week's Ivanti EPMM vulnerabilities — CVE-2025-4427 and CVE-2025-4428 — chained to achieve unauth RCE. Beware - this is currently being exploited ITW! Enjoy our analysis. labs.watchtowr.com/expressio…
3
7
56
9,586
Patch your Ivanti EPM asap. My pre-auth RCE got fixed and exploitation is straightforward.
[ZDI-24-1510|CVE-2024-50330] Ivanti Endpoint Manager GetComputerID SQL Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/adviso…
1
16
54
12,121
My CRLF injection vulnerability in .NET FTP client has been described by our VRS team. Simple, yet fun vulnerability, which can sometimes lead to a nice impact.
In our latest guest blog, the Trend Micro Research team details CVE-2023-36049 - a .NET LPE bug originally found by ZDI's own @chudyPB. An attacker could write/delete arbitrary files in the context of the FTP server. Read all the details at zerodayinitiative.com/blog/2…
1
6
54
6,871
32 million of scans from 185.169.231.0/24 (one IP) during last 6 days. Targeted ports: 8888, 8889, 8890, 8900 (8 millions of packets per protocol -> equal distribution) Source port: 65535 cc @bad_packets [1/2]
1
20
46
Sadly, I'm not suprised 💀. Btw, I've described this SSRF in a blog post one year ago: thezdi.com/blog/2023/11/1/un…
The saga of a full-read SSRF vulnerability in Exchange: ❌ 2021: Reported by me - low impact, no fix. ❌ 2023: Reported by @chudyPB - the issue doesn't require immediate servicing. ✅ 2024: Quiet patch by Microsoft. No CVE, no bounty, and only after 3 years customers are safe.
9
51
6,326
I joined Sonny and added quite nice pre-auth RCE chain, which contains argument injection -> auth bypass vuln 🫡
We're back - returning to the scene of the "crime" - to demonstrate 2 pre-auth RCE chains against Commvault (CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791) Enjoy, and speak soon 😉 labs.watchtowr.com/guess-who…
1
9
50
5,607
2nd part of Exchange series is live. This time, it's CAB extraction gadget, together with a path traversal in Windows extrac32.exe. I also covered a bypass for Defender CAB signatures (spoiler: quite a simple one). 😅
In part 2 of his #Exchange series, @chudyPB describes the ApprovedApplicationCollection gadget. He also covers a path traversal in the Windows utility extrac32.exe, which allowed him to complete the chain for a full RCE in Exchange and remains unpatched. zerodayinitiative.com/blog/2…
2
13
47
9,981
Although this is 10.0 RCE, I find these SolarWinds ARM File Read/Delete vulns much more entertaining. I think they deserve a blog post with some explanation :)
[ZDI-24-912|CVE-2024-23469] SolarWinds Access Rights Manager EndUpdate Exposed Dangerous Method Remote Code Execution Vulnerability (CVSS 10.0; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/adviso…
1
5
44
9,445
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
In his latest blog, @chudyPB covers a pre-auth Arbitrary File Deletion vulnerability he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to an LPE on domain-joined Windows machines. Read the details at zerodayinitiative.com/blog/2…
1
12
43
5,352
Great news: I got invited to Microsoft Zero Day Quest onsite event. Bad news: It overlaps with my kid's estimated due date 😅 Happy hacking to all of you who's planning to go to Redmond 😎
10
42
3,440
See you in Paris #HEXACON2023
💎🔨 Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization, by Piotr Bazydło (@chudyPB)
3
43
5,693
Not a bad way to start a year for me. 2x Exchange LPE and 1x Exchange NTLM Relaying. Still waiting for the most important vuln to be fixed :)
It's the first Second Tuesday of the year, which means Patch Tuesday for #adobe and #microsoft (and more). Join @dustin_childs as he breaks down this large release and covers which bugs already have exploits in the wild. zerodayinitiative.com/blog/2…
1
3
41
10,923
[rare long post] Another year, another MVR for me. This year, it has a bittersweet taste though. Let’s kick off with the sweet part. I’m quite happy with my consistency and findings. My record for 2024: - 10x Exchange - 2x SharePoint - 1x .NET/VS Multiple RCEs included. [1/n]
8
2
40
6,568
My first Exchange vulns are fixed, including LPE through the hardcoded DLL path. More to come:)
No patches from #Adobe this month, but @dustin_childs has plenty to cover from the #Microsoft release with 4 new 0-days and fixes for #Exchange bugs under attack. Read all the details at zerodayinitiative.com/blog/2…
2
38
While having a quick look at Ivanti EPMM, I added a funny RCE 😅
well, here's CVE-2025-6771 - a post-auth (admin only, exploitable via CSRF) RCE in Ivanti EPMM that we found while analysing CVE-2025-4427 and CVE-2025-4428 forums.ivanti.com/s/article/…
2
5
38
5,334
I didn't win Pwnie, but I find it very fair. Remote Windows UAF seems very impressive! :)
My Exchange RCE chain presented during @offensive_con has been nominated for the Best RCE Pwnie. Quite a nice surprise 🙂
1
37
2,320
It's nice to have my .NET deserialization research nominated to that list. It made my day:)
Voting is now live for the Top ten web hacking techniques of 2023! Make a brew, browse the nominations, and cast a vote for your personal top ten here: portswigger.net/polls/top-10…
2
4
35
7,705
I can't wait for my 1st @offensive_con. I'll be hanging around even before the conf. I hope to meet you there and discuss research 🤟
1
31
2,140
As advisory states, CVE-2024-28991 can be chained with CVE-2024-28990 for pre-auth RCE. I plan to blog about several ARM vulnerabilities in the future, and I'll start with something that I find more interesting than pre-auth RCE.
[ZDI-24-1224|CVE-2024-28991] SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 9.9; Credit: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative) zerodayinitiative.com/adviso…
1
2
31
2,485
Huge congratz @SinSinology - this is an enormous level of both skills and determimation 🔥
And that’s a wrap! #Pwn2Own Automotive 2025 is complete. In total, we awarded $886,250 for 49 0-days over the three day competition. With 30.5 points and $222,250 awarded, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) is our Master of Pwn. #P2OAuto
30
2,178
Proud father moment 😎
CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability: Trend ZDI analyst @bobbygould5 details this bug and another that may be a dupe. He also shows how it can be exploited. zerodayinitiative.com/blog/2…
1
1
26
3,044
Our last @thezdi Pwn2Own was a blast. Thanks to all the contestants for hanging around there with us, showing great research and for good discussions during the parties!
27
2,335
I made it to MSRC 2023 MVR list and I was #4 in Office category. I have to admit that I'm surprised :) Congratulations to all researchers and my colleagues @mrpowell @izobashi
Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉 Check out our blog for the full list: msft.it/60199yOc9
3
28
3,236
I'm not a huge fan of XSS and I try to avoid them, but this was fun (based on a custom file handler) 🫡
We know what you’re waiting for…..this isn’t it 😅 🚀Join the watchTowr Labs team today on our journey into Kentico Xperience CMS again - chaining vulnerabilities together for full RCE.... labs.watchtowr.com/xss-to-rc…
23
1,808
Folks from Trend Micro VRS Team 1dayed one of my SolarWinds deserialization vulns. Check it out!
In our latest blog from Trend Micro Research, Justin Hong & Lucas Miller detail an RCE vuln in the #SolarWinds Network Performance Monitor (Originally reported by @chudyPB). Post covers root cause and offers detailed detection guidance. zerodayinitiative.com/blog/2…
2
23
4,573
My two vulnerabilities in the Apache Batik default security routines. SSRF should be always possible in the default config. Non-default one may even give you the RCE. I'll probably blog about it soon.
[ZDI-22-1327|CVE-2022-40146] Apache Batik DefaultScriptSecurity Server-Side Request Forgery Remote Code Execution Vulnerability (CVSS 8.1; Credit: @chudypb) zerodayinitiative.com/adviso…
2
24
@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I've been fingerprinting on February. It seems that it lives and it feels pretty well. I've checked out two days (4th, 5th of June) - about 40 000 unique IP addresses. I'll provide some deep analysis soon.
1
7
21
Some serious question about a larg-scale usage of AI in Vuln Research. Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am. If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.
3
20
2,650
It is going to be my #Pwn2Own debut🙂 I am unable to come to Miami, but I am still going to have a lot of fun😎
Reminder: We'll be broadcasted the random drawing for #Pwn2Own Miami live on Monday, Apr 18 at 3pm Eastern (UTC -4). We've received quite a few entries, so it should be a great contest. piped.video/OR3vJcS-LRI #S4x22
2
21
To sum up, #Pwn2Own was great. I did not expect such a great result (3rd score ex aequo with the Claroty team). Congratulations to all participants (especially @sector7_nl and @sourceincite for a great score and a close fight). Thanks @thezdi for a great event, it was fun. [1/2]
1
22
BTW - 2 long blog posts incoming 😅
Small survey. Should my blogs be: a) Long as usual, with a deep dive and the code flow analysis. b) Shorter, straight to the root-cause analysis. Any feedback appreciated :)
1
1
21
2,077
Thank you @OMHconf for a great edition! I had a blast 🙂 High frequency at my SharePoint talk shows that a lot of Polish people are interested in Vulnerability Research. I hope that events like this will help to make our local scene bigger. 😎
2
17
1,126
Thx @h0wlu and @antisnatchor for another great @WarConPL. As always, complete blast. Cheers to the river committee
1
16
1,786
It's a sweet stuff
Success! @testanull of @starlabs_sg was able to execute a 2-bug chain on Microsoft SharePoint. They earn $100,000 and 10 Master of Pwn points. #Pwn2Own #P2OVancouver
2
16
7,138
Great news: I have a 0day for #Pwn2Own Bad news: It was postponed 🥲
#Pwn2Own Miami will also be postponed until #S4x22 can be rescheduled. We will update specific dates once we have them. We still look forward to seeing everyone in Miami this year.
1
4
15
Last part of my Exchange series. I tried to describe the no-argument ctor conversion (setter-based), which significantly increased the attack surface. I used it to get 3 more vulnerabilities in Exchange allowed classes (XXEs and NTLM Relays).
The final part of @chudyPB's look at #Exchange bugs in a post-ProxyNotShell world covers the no aurgument constructor. It allowed him to find 3 more vulns, even after Exchange PowerShell had been hardened by switching to a strict allow list of types. zerodayinitiative.com/blog/2…
4
15
2,038
Example: use secure XStream deserialization (whitelist applied) to throw NumberFormatException and bypass the deser whitelist with JNDI injection :) Payload: <int>${jndi:...}</int>
3
14
Yes, PowerShell is still accessible for low-priv users.🙃 It's unlikely to be exploited over the internet though, as you need to have a valid Kerberos ticket. It's a nice patch bypass! I plan to present mine in a future.
It's TGIF and we have a new blog post by our team member, @testanull Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) Thanks to all the other team members for reviewing it as well. starlabs.sg/blog/2023/04-mic…
13
2,340
Quick update on this Mirai variant. 2018.09.13 - around 7600 infections 2018.09.14 - around 11000 infections (a lot of new ones in USA) I've managed to grab around 4000 infected devices (or services if no model provided) from @shodanhq A lot of D-LINK: pastebin.com/eGQL2104
8
13
Nice writeup! You may like my Hexacon talk that will occur next month: hexacon.fr/#dot_net_deserial… Multiple commits to ysoserial.net planned:)
1
1
13
1,009
Also, 212.92.127.0/24 is providing us some activity. almost 2 million of scans, different ports are being targeted
1
6
13
Thanks everybody! I recommend you to have a look at all nominations (not only top 10). There's a lot of great work there, from researchers like @irsdl @artsploit @frycos @mwulftange @scryh_ @garethheyes and many others!
1
1
12
2,909
It seems that my first and favorite Pwn2Own vuln was fixed. I think that I will be able to provide some more details in the future. :)
ZDI-22-1019|CVE-2022-35872] (Pwn2Own) Inductive Automation Ignition Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 7.8) zerodayinitiative.com/adviso…
12
My talk from the @CONFidence_news about network telescope is now available. piped.video/watch?v=gT1IZDdC… Among others, I showed how Memcached based amplified DRDoS attacks (including Github attack) could be predicted and how we can fingerprint botnets. Work performed for the @sissden.
3
12
Does MSRC sometimes use AI to respond to researchers? Asking for a friend 🙃
11
1,166
Thanks to the @bad_packets, I've again checked out T-Mobile USA (AS21928). A lot of IPs are scanning port 5555 again - check out the timeline. About 18 000 unique IP addresses.
4
8
I think I've fingerprinted new Mirai variant in our darknet (correct me if it isn't new, cc @360Netlab @bad_packets). It's active since 2018.08.27. So far: 7800 unique IPs. It scans five ports: 88, 8181, 8080, 81, 80 Every IP has constant source port. Top countries:
7
4
9
DoS attacks are targetting @ProtonMail . We have seen some SYN-ACK in our network telescope (SYN FLOOD). DDoSMon shows that NTP and CLDAP were also used for the amplified DRDoS. Good luck with the mitigation guys.
Our network has been under sustained attack this morning. We are working with our upstream providers to mitigate the attack. Emails are delayed but will not be lost. Thank you for your patience.
9
10
Replying to @frycos @VietPetrus
Vuln is a vuln. It can always be chained with auth bypass/privesc. I don't understand downplaying of post-auth bugs.
3
9
730
Ok, quick look at the infected devices. So far: - TP-LINK WR740N, port 8080 - NETGEAR DGN1000, port 8080 - D-Link DIR-845L, port 8080 - D-Link DIR-865L, port 8080 - D-Link DIR-868L, port 8080 - Avtech AVN801 IP camera, port 80 A lot of stuff, I'll try to prepare full list.
1
4
9
To all the folks panicking about this one - it's not that bad, despite being 9.8. World will not burn because of it, don't worry. Merry Christmas 🎅
1
10
1,451
Replying to @_l0gg
It's CVE-2024-38018 🫡
1
10
1,550
Successful exploitation.💪 It was a collision, but I'm not even mad.😎
Bug collision - Piotr Bazydło (@chudyPB) was able to get RCE on Iconics Genesis64, however the bug he used had been previously seen. He still earns $5,000 and 5 Master of Pwn points. #Pwn2Own #P2OMiami
1
8
Another full-win. It turned out to be a good competition. :)
Confirmed! @chudyPB used an untrusted search path bug to get code execution on AVEVA Edge. He wins another $20,000 and 20 Master of Pwn points. That brings his contest total to $45,000. #Pwn2Own #P2OMiami
9