tutorials · 15 min
CVE-2025-20362 (auth bypass via path traversal, a variant of a 2018 bug) + CVE-2025-20333 (buffer overflow in a Lua script in WebVPN). Chained, pre-auth RCE as root on any ASA/FTD exposed to the internet. UAT4356 has been exploiting them since May 2025 and drops ROMMON persistence with a GRUB bootkit (RayInitiator) that survives reboot and upgrade.
· Manuel López Pérez
tutorials · 14 min
CVE-2025-49706 + CVE-2025-49704 give pre-auth RCE on on-prem SharePoint. The 8 July patch turns out to be incomplete and the variant CVE-2025-53770 + CVE-2025-53771 shows up, exploited at scale from 18 July. The spinstall0.aspx web shell steals the MachineKeys and persistence survives the patch.
· Manuel López Pérez
tutorials · 13 min
On 25 April M&S suspends its ecommerce. Vector: social engineering of the TCS helpdesk — outsourced IT provider — for credential reset. Scattered Spider as initial access, DragonForce as extortion affiliate. Co-op and Harrods fall in the following days with the same playbook. £300M declared impact. VM lab with compensating control.
· Manuel López Pérez
tutorials · 11 min
Huntress detects zero-day exploitation on 3 December of a bug in Cleo Harmony, VLTrader and LexiCom. The initial 5.8.0.21 patch does not mitigate; CVE-2024-55956 lands along with a second patch 5.8.0.24. Cl0p claims responsibility on 14 December. The group's third MFT in two years.
· Manuel López Pérez
tutorials · 10 min
On 25 July, Binarly publishes the result of auditing the firmware of ~900 devices: hundreds use AMI/Insyde test keys with the string "DO NOT TRUST" in the subject, and the private half is on GitHub. CVE-2024-8105, VU#455367, Secure Boot bypass by design.
· Manuel López Pérez
tutorials · 9 min
On 19 July 2024 at 04:09 UTC, a content update from CrowdStrike Falcon puts 8.5 million Windows machines into a reboot loop. Delta cancels 7,000 flights. The bug: a kernel-mode parser that reads field 21 of a template instance that only carries 20. How we got there, why the validator let it through, and what changes in EDR from here.
· Manuel López Pérez
tutorials · 9 min
On 1 July Qualys publishes a race condition in the OpenSSH signal handler that reintroduces a bug patched in 2006. Pre-auth RCE as root sounds apocalyptic. The fine print (glibc, x86, 10,000 connections, 6-8 hours of race window) brings the news back to its real size.
· Manuel López Pérez
tutorials · 11 min
Mandiant publishes the UNC5537 report on 10 June. Snowflake credentials stolen by infostealers between 2020 and 2024, accounts with no MFA and no network policy, mass exfil via COPY INTO. No CVE: just lax defaults and credentials nobody rotated.
· Manuel López Pérez
tutorials · 8 min
Pre-auth command injection in PAN-OS GlobalProtect. The SESSID cookie parameter gets interpolated into a shell to build a telemetry filename; metacharacters earn execution as root. Volexity tracks exploitation since 26 March, vendor confirms on 12 April.
· Manuel López Pérez
tutorials · 12 min
On 29 March Andres Freund finds a backdoor in xz-utils 5.6.0 and 5.6.1. The payload arrives via a build hook in m4/build-to-host.m4 that extracts a precompiled object from a test archive. The result modifies liblzma to intercept RSA_public_decrypt in sshd. "Jia Tan" had spent two and a half years building trust.
· Manuel López Pérez
tutorials · 10 min
CVE-2023-46805 (auth bypass via path traversal) + CVE-2024-21887 (command injection in /api/v1/license/keys-status). Chained, pre-auth RCE as root. Volexity publishes them on 10 January after detecting zero-day exploitation by UTA0178 since December. The official patch lands on 31 January, three weeks later.
· Manuel López Pérez
tutorials · 8 min
CVE-2023-4966 lets you read ~63 KB of NetScaler memory with a single HTTP request carrying an oversized Host header. Among the data: active session tokens. The attacker replays them and walks in as a valid user — no MFA. Boeing, ICBC, Comcast and more fall between October and November.
· Manuel López Pérez
