Red Teaming. Security Research. Continuous Penetration Testing. Threat Intelligence.

Ulm & Mannheim
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
8
160
635
109,993
Critical vulns in #FortiOS reversed & exploited by our colleagues @niph_ and @ramoliks - patch your #FortiOS asap and see the #bh2019 talk of @orange_8361 and @mehqq_ for details (tnx guys for the teaser that got us started)
12
250
392
Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange codewhitesec.blogspot.com/20…
2
170
358
CVE-2023-27532 in Veeam Backup & Replication is serious, expect exploitation attempts soon. Our teammate @mwulftange was able to develop an exploit just by using the exposed API.
4
118
330
93,164
PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() brought to you by @thefLinkk #BruCON0x0D github.com/codewhitesec/Hand…
5
167
346
Toys for red teams! Headache for blue teams? LethalHTA - a new lateral movement technique brought to you by @matthias_kaiser and @marpie0 of Code White. Check out our new blog post at codewhitesec.blogspot.com/20… #wearehiring
7
196
329
Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos - no technical details from us this time because this might instantly be abused by ransomware gangs code-white.com/public-vulner…
5
98
273
37,352
For your reading pleasure: Liferay Portal unauth'd RCE vulns affecting all versions from 6.1 to 7.2, found by our very own @mwulftange codewhitesec.blogspot.com/20…
3
103
214
Our powerintern @testert01 strikes again, teamed up with @thefLinkk and developed SysmonEnte: a hard to detect attack on Sysmon. Check out our new blogpost: codewhitesec.blogspot.com/20…
3
82
191
If you're interested in Java Deserialization Exploitation with recent JDKs, feel free to check out codewhitesec.blogspot.com/20… by our very own @frycos . We'll not publish tooling but maybe this blog post pushes research(ers) into new and interesting directions...
1
77
184
29,539
Even though JMX exploitation is well understood, @mwulftange and @qtc_de found new universal exploitation techniques & one of them allows to gain instant Remote Code Execution using TemplatesImpl (which is now implemented in #beanshooter) codewhitesec.blogspot.com/20…
73
167
39,079
Once upon a time there was a #Sophos XG Firewall N-day that had @ramoliks and @niph_ dig deep until they got RCE, a 0-day and a comprehensive blog post. #CVE-2020-12271 #CVE-2020-15504 codewhitesec.blogspot.com/20…
2
96
151
The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: code-white.com/blog/leaking-…
2
61
137
67,444
How the search for deser bugs in #SAP sent @kaidentity down a rabbit hole where he winded up stumbling upon a completely unrelated unauth'ed admin access #CVE-2021-21481 codewhitesec.blogspot.com/20…
1
68
107
.NET Remoting Revisited – playing around with .NET Remoting led @mwulftange to new insights, some enhancements for @tiraniddo's #ExploitRemotingService, a new universal #YSoSerialNet ObjRef gadget and its counterpart #RogueRemotingServer (1/2) codewhitesec.blogspot.com/20…
1
56
113
Struggling to exploit H2 DB? This may help: we found a new way utilizing native libraries and JNI. Kudos to @mwulftange codewhitesec.blogspot.com/20…
1
54
108
Another product, another deserialization vulnerability, another RCE from @mwulftange: Patch your Telerik Report Server (CVE-2024-6327 & CVE-2024-6096) code-white.com/public-vulner…
2
35
100
7,695
Our crew members @mwulftange & @frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following @SinSinology & @chudyPB's blog. Don’t blacklist, replace BinaryFormatter.
25
88
22,913
We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy<T> creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec/NewR…
1
31
89
7,582
@snyksec Tnx for your excellent analysis at snyk.io/blog/npm-dependency-… and don't worry, the "malicious actor" is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients. (1/2)
3
28
84
Interested in Advanced Java Exploitation? Check out our new blog post about exploiting Adobe ColdFusion codewhitesec.blogspot.com/20…
1
60
82
Today, CODE WHITE turns 10 🥳 Over the past decade, we've hacked our way through 120+ large corporations' defenses, caused headaches for Blue Teams and disclosed numerous 0days to vendors. Proudly grown from a few motivated hackers in 2014 to an established team of 50+ today 💪
2
14
78
8,598
Let's break the dAM-SIng - a heap-based AMSI bypass for VBA. Follow @danshaqfu of @codewhitesec into the rabbit hole in our latest blog post: codewhitesec.blogspot.com/20…
1
53
73
We're pleased to announce that we donated a total of $29,500 from vulnerability disclosure rewards to charities this year. Thanks to all colleagues who made this possible and hacky christmas everybody!
2
10
64
5,105
Using Telerik Reporting or Report Server? Patch now to fix 3 RCEs @mwulftange found (CVE-2024-8015, CVE-2024-8014, CVE-2024-8048). Telerik vulns have a history of being exploited by threat actors according to @CISACyber Details at code-white.com/public-vulner…
20
61
10,896
It is always good to take a 2nd look at existing vulns. So @mwulftange found a new rock-solid exploitation technique for the Telerik UI framework (hint: affects an Avast product ;) Enjoy: codewhitesec.blogspot.com/20… #CVE-2017-11317
30
58
Still interested in leaking & exploiting ObjRefs in .NET Remoting? Have fun with our test bench, example p(l)ayloads and exploit script over at github.com/codewhitesec/Http…
The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: code-white.com/blog/leaking-…
26
59
15,327
Ever wondered how to pull a Houdini on #auditd and let linux events vanish into thin air? Dive into our latest blog post by @qtc_de and meet the magic wands ^H^H^H PoCs 'daphne' & 'apollon' 😎 code-white.com/blog/2023-08-…
3
24
49
15,627
We are nominated again for @PortSwigger's "Top 10 Web Hacking Techniques" and we're even in with two entries for 2023: ➡️ Java Exploitation Restrictions in Modern JDK Times ➡️ JMX Exploitation Revisited ✍️ Vote now: portswigger.net/polls/top-10…
13
44
4,202
We've received insider information from a reliable source that Kurts Maultaschenfabrikle will be expanding and securing their IT in the coming weeks. So either act fast and get ahead on apply-if-you-can.com or wait for the new challenges. Or better yet, do both 🤓
1
18
45
5,395
Be aware of an undocumented administrative service account in #Technicolor TG670 DSL router gateways @frycos pulled out from the hardware. Great for pivoting and seems to affect at least all devices provisioned in Italy: CVE-2023-31808 kb.cert.org/vuls/id/913565
1
10
43
12,389
BeanBeat has been aquired by Kurts Maultaschenfabrikle! You don't know what that means? Head over to apply-if-you-can.com to find out in challenges that, without exception, stem from real-world vulns #uncompromisingRealism #finestHacking
16
43
6,463
.@citrix published a security bulletin regarding a pre-auth RCE in @sharefile Storage Zones Controller (CVE-2021-22941) found by @mwulftange: support.citrix.com/article/C… Details will follow on our blog at codewhitesec.blogspot.com
17
40
Here are the slides from our Java Deserialization talk at @ruhrsec including our shiny 0days slideshare.net/codewhitesec/… #ruhrsec
29
36
Find out about multiple ways to achieve unauth'd #RCE in #Fortinet #FortiNAC that our teammate @frycos talked about @TumiConIT just recently and now blogged about (CVE-2023-33299 and CVE-2023-33300)
Finding some new unauth'd RCEs in Fortinet FortiNAC frycos.github.io/vulns4free/…
1
10
35
5,963
Beware: we found that MS Lync/Skype for Business is also vulnerable to CVE-2020-1147; endpoint requires auth'd user with SIP enabled
19
32
Our CODE WHITE crew can see every day how frycos finds what he finds. Now you can too: an instructive insight into his thought process based on his RCE in MS Dynamics - well worth the read if you're into .NET exploitation
My blog post about several findings in Dynamics 365 Business Central. I tried writing in a .NET primer style for code audit beginners. frycos.github.io/vulns4free/…
8
33
5,398
We are proud to announce the new Code White office location in Mannheim downtown. Lets have a great start over there guys!
1
6
30
There is a special Friday after-work tradition at Code White - today powered by a very nice RCE-Redwine sponsored by @C1_CMS. We appreciate! Thx @frycos ;)
2
1
27
Looking forward to have so many technical cyber security talents in #ulm next week and proud to sponsor the event together with our friends @bluefrostsec and @X41Sec
Am 3. Juli startet das Finale der #cscg2023 in #ulm. Die Vorbereitungen laufen auf Hochtouren. Die wichtigsten Infos sind in diesem Artikel zusammengefasst: ulm.de/leben-in-ulm/digitale…
10
27
4,159
If you're using #pgAdmin Server < 6.17 on Windows, patch the unauth'ed RCE #CVE-2022-4223 that our @frycos found & reported (without being mentioned)
2
8
25
Unauth'd admin access to #SAP #Netweaver? Our very own @kaidentity has you covered, see #CVE-2021-21481 and SAP Security Note 3022422. Better patch than sorry. Our customers got their heads-up already and we'll publish a detailed blog post when appropriate.
25
26
To clarify: we did not discover these bugs - all credit goes to @_l0gg. We diffed the patches, quickly built a working exploit internally (and identified another auth bypass afterwards)
1
2
27
7,124
Tnx @_dirkjan for visiting the CODE WHITE headquarters and further sharpening our RedTeamer's Offensive Azure AD skills during 3 days of technical training. Recommended!
7
24
6,675
Ten days left. The warm-up fades. Maultaschen were soft. Bean Beats were dark and burnt. But the beats of #ULMageddon will be brutal! #applyIfYouCan
14
27
4,652
Think your #kubernetes or #kubelet API is secured with auth? Think again if you expose #tekton for which our crewmember @flomb_ has some nice writeup regarding RCE & proxy risks.
Published my write-up regarding two vulnerabilities in the Tekton Dashboard. blog.flomb.net/posts/tekton/
10
21
3,566
We always love a good challenge. That’s why we’re sponsoring the 10th FAUST CTF. Game on at 2025.faustctf.net/
9
23
2,736
Proud to be sponsoring the celebration dinner today for the finalists of the Cyber Security Challenge Germany 2022. Great to support the hacking community and get in touch with so many talented minds. Cheers to all winners! #CSCG #finestHacking #finestDining
1
5
21
We are proud to announce that Code White opens a North America division in Los Angeles! Welcome on board for Code White LLC: Dr. Dieter Haban!
2
7
20
Wanna meet some of our team mates like @frycos @dhn_ @tcs3c @datenschrott in real life? Spot us at #OffensiveCon in Berlin over the next few days 🙋
3
20
3,216
We could waffle on about our distinctive service portfolios. We could brag about the perks we provide. We could present you with our outstanding team. But you know what? Apply if you can! apply-if-you-can.com
4
10
21
If you have #Citrix #ADM exposed, better patch than sorry. @frycos and @CaptnBanana found a hard to exploit but nonetheless nasty bug that could lead to an unauth'ed device brick/takeover: support.citrix.com/article/C…
1
10
18
Happy to announce that our talk 'PIC Your Malware' was accepted @BruCON! @thefLinkk and @b00n10 will share their experiences on leveraging fully position independent code to avoid suspicious memory artifacts & other useful techniques to stay under the radar of EDRs & BlueTeams 😎
1
16
16
Part of the CW delegation at 1st @offensive_con. Great job @bluefrostsec!
1
5
18
Our teammate @frycos got unauth RCE on 3CX Phone Management systems and wrote a detailed blog post about his journey ("no CVE(s), no logo, no website" 😎) medium.com/@frycos/pwning-3c…
medium.com/@frycos/pwning-3c… Here it is: my blog post for a Pre-Auth RCE on the famous 3CX Phone Management System.
7
18
As mentioned in our @InfiltrateCon and @ruhrsec talk, we have found a nice JRE gadget. The detailed writeup is here: codewhitesec.blogspot.com/20…
17
16
Tnx @_dirkjan for visiting the CODE WHITE headquarters and further sharpening our RedTeamer's Offensive Azure AD skills during 3 days of technical training. Recommended!
2
16
2,329
The qualification phase for this year's Cyber Security Challenge Germany @C_S_C_G starts soon. CODE WHITE is proud to sponsor the promotion of young talents for the on-site event in july together with the city of Ulm @ulm_donau as host for the finalists cscg.live/
6
15
2,846
To clarify your questions: we're trying to mimic realistic threat actors for dedicated clients as part of our Security Intelligence Service and we brought our "own" package manager that supports yarn and npm. Feel free to DM us if you have additional questions. (2/2)
1
14
We're giving away 6 #cidersecuritycon tickets for students! First come, first serve: just DM us
1
13
15
CODE WHITE.roof.top.lounge: up & running; near by? Let us know.
4
11
Our @frycos tried hard to responsibly disclose an auth bypass in ConnectWise R1Soft over multiple channels, dropped an unweaponized PoC after months to get attention, suddendly got attention, handed over all details ... just to see the patch release on a friday 🤦 Still: patch ☝️
2
3
14
Our @thefLinkk and @TjarkRasche will give a workshop tomorrow at @bsidesbud on creating complex offensive tools as PIC. Come and learn about offensive coding techniques, memory artifacts and benefits of coding tools as PIC.
8
13
Well deserved @mwulftange and tnx to all voters who like our research efforts 🙏
Thanks to everyone who voted for my write-up "Bypassing .NET Serialization Binders" to place fifth in the @PortSwiggerRes "Top 10 Web Hacking Techniques of 2022"!
1
13
1,856
We are proud sponsor of @offensive_con. Thanks for the conference and great cooperation to @bluefrostsec. Lets make this great!
A big thank you to Code White GmbH @codewhitesec for the huge support and being our sole diamond sponsor. offensivecon.org/sponsors.ht…
6
12
You really want to apply that fix as the way to exploit CVE-2023-35082 for any recent version before that fix is just too easy! Tnx @catc0n for supporting us in the comms with that specific vendor.
So it turns out CVE-2023-35082 didn't just affect older versions of MobileIron Core, but rather all versions of Endpoint Manager Mobile and MobileIron Core. There's a fix out now for 11.10 to 11.3 and updated comms from Rapid7 and Ivanti: rapid7.com/blog/post/2023/08…
5
12
4,140
PIC that talk by our colleague @thefLinkk if you're @x33fcon physically or join online 😎
In this talk, @thefLinkk will outline the state of the art of implementing and hiding #offensive #tools as position independent code and how to apply key-less #polymorphism to evade #signatures. You simply can't miss it! More: x33fcon.com/#!/s/sebastianf.… See you in #Gdynia 🏖️😎🍹
5
12
Deserialization vulns via AMF. See codewhitesec.blogspot.de/201… for details. #RCE #JAVA
9
9
@JFrogSecurity Thank you for your great analysis at jfrog.com/blog/npm-supply-ch… your warnings to the affected organisations but we can resolve the uncertainty: the "attack" was a simulated but nonetheless realistic one by us for some of our contracted clients with their consent.
3
9
One of our Deserialization vulnerabilities is fixed: Atlassian Bamboo RCE confluence.atlassian.com/bam… . More to come!
11
8
We're excited to support #cidersecuritycon and its great cause taking place near our #mannheim office at the #technoseum
Time for breakfast and time to send a big thank you to our friends from @codewhitesec for supporting us by being our main sponsor!! Thanks!!
3
8
CW+=1; welcome @akuntsc onboard! #dockerislove more to come!
6
7
Code White is hiring! For our large scale red team penetration tests and tactical exploitations we are looking for experienced pros. #FinestHacking
8
7
Tnx for your cautious analysis but we can give the all-clear signal for that specific campaign as it was part of our realistic and continuous attack simulations for a few contracted clients with their consent. Appearently, showing "impact" increases awareness and preparedness 💪
3
8
and btw: make sure to hunt down your CW-CurryWurst right after the last talk. You will need it as foundation for the closing party @offensive_con #diamondsponsor
3
7
Java and command line injections in Windows. Enjoy @mwulftange's writeup at codewhitesec.blogspot.de/201…
9
7
Code White welcomes @tcs3c, third OSEE in our team :)
1
3
7