eventvwr.exe UAC bypass via mscfile registry hijack methodology diagram

Eventvwr.exe UAC Bypass via mscfile: Anatomy of a Classic HKCU Registry Hijack

A walkthrough of the well-documented Windows UAC bypass that uses “eventvwr.exe”’s auto-elevate manifest plus a writable HKCU registry handler for the “mscfile” shell verb. Writing a single REG_SZ value under “HKCUSoftwareClassesmscfileshellopencommand and launching “eventvwr.exe” via “ShellExecuteEx” with the “runas” verb causes Windows to silently spawn the attacker’s payload at High integrity — no consent prompt. S12 reproduces the technique in a small C++ tool, demonstrates near-universal AV evasion on Kleenscan, and discusses the detection footprint.

Gogs Authenticated RCE via git rebase --exec Argument Injection (Unpatched)

Gogs Authenticated RCE via git rebase –exec Argument Injection (Unpatched)

Rapid7’s Jonah Burgess has disclosed a critical (CVSS 9.4) authenticated argument-injection RCE in the self-hosted Gogs Git server. Any authenticated user can create a branch named “–exec=“, open a pull request against a repository where “Rebase before merging” is enabled, and have Gogs run their command on the server when the merge fires. No admin rights required, no CVE assigned, no patch shipped — the maintainer was notified on 17 March 2026 and Rapid7 disclosed publicly on 28 May after two and a half months of silence. Roughly 1,141 internet-facing Gogs instances are exposed; a Metasploit module ships with the disclosure.

Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)

Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)

A deep technical write-up of the Synology BeeStation pre-auth-to-RCE chain disclosed by DEVCORE at Pwn2Own Ireland 2024 (CVE-2024-50629 CRLF injection, CVE-2024-50630 auth bypass via webapi-to-syncd domain-socket trust, CVE-2024-50631 SQL injection in update_settings) plus an N-day variant by Kiddo that swaps DEVCORE’s PHP-based RCE for a novel “ATTACH DATABASE” primitive against “/etc/cron.d/pwn.task”, exploiting cron’s line-skip tolerance to embed a working reverse-shell crontab inside an otherwise-binary SQLite file.

Animated terminal demo of the FreeBSD setcred CVE-2026-45250 LPE exploit landing a root shell

Calif’s AI Audit of FreeBSD: 15 Kernel Bugs (3 RCEs, 5 LPEs, 1 bhyve Escape) and Three Public CVE Writeups

Calif’s AI-assisted security team published a write-up of their FreeBSD kernel engagement: “15 bugs total” — 3 RCEs, 5 LPEs, 1 bhyve guest-to-host escape, plus memory disclosures and DoS — reported privately to FreeBSD with public PoCs released for three: CVE-2026-45250 (setcred sizeof confusion → stack overflow), CVE-2026-45253 (ptrace PT_SC_REMOTE missing bounds check → sysent OOB), and CVE-2026-45251 (procdesc UAF → arbitrary kernel-pointer writes via TAILQ_REMOVE on stale pd_selinfo). The exploits and writeups were generated by AI (OpenAI / Anthropic) and verified by humans before release. The remaining twelve bugs stay private until FreeBSD ships fixes.

CVE-2025-61622: PyFory Insecure Pickle Deserialization to RCE

CVE-2025-61622: PyFory Insecure Pickle Deserialization to Remote Code Execution

CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: “handle_unsupported_read()” instantiates a bare “pickle.Unpickler” with no “find_class” override and calls “.load()” on the attacker’s buffer, executing whatever “__reduce__” tuple they crafted. The attacker doesn’t even need PyFory installed — a stock “cloudpickle” payload pushed over a TCP socket is enough. Fixed in 0.12.3 by removing the pickle fallback entirely.

Visual Studio extension project template selection screen

Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs

MDSec returns to the Visual Studio extension ecosystem three years after their VS Code work. A modern “VisualStudio.Extensibility” extension that fetches and runs an arbitrary .NET assembly via reflection — built from the stock template, published on the Marketplace under the “MSAzure” publisher with no security checks — takes a renamed “Microsoft” publisher around an hour to land. The second half of the post is a five-stage triage pipeline (Acquisition → Unpacking → Decompilation → LLM Triage → Agent Investigation) over the 8,566 analysable VSIX packages currently on the Marketplace, surfacing a backdoor-shaped “vs-publisher-1477920/FVsEx” extension that exfiltrates host info to “qweq.xyz” and dispatches commands to “cmd.exe”.

Reverse Engineering For Beginners XOR encryption Windows x64

Reverse Engineering for Beginners: Defeating an XOR Crackme on Windows x64

A step-by-step walkthrough of reverse-engineering a Windows x64 crackme that XORs its input against a hard-coded 10-byte key before comparing it to an embedded array. Using x64dbg, we follow the password byte into RAX, find the XOR site at “0x40171E”, recover the key (“U V W X Y Z Q R S T”) from RBP-relative stack slots, then XOR the comparison array back through that key to recover the original password — “strongpass”. Source code is reproduced verbatim from the author’s GitHub.

CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)

CVE-2026-20182: Unauthenticated vHub Bypass in the Cisco Catalyst SD-WAN Controller

CVE-2026-20182 (CVSS 10.0, CWE-287) is a critical authentication bypass in the Cisco Catalyst SD-WAN Controller’s vdaemon DTLS service (UDP 12346). By presenting “device_type = 2” (vHub) during the CHALLENGE_ACK phase, an unauthenticated remote attacker hits a fall-through in “vbond_proc_challenge_ack()” that unconditionally sets “authenticated = 1” — from there it’s a short hop to “MSG_VMANAGE_TO_PEER” SSH-key injection into “/home/vmanage-admin/.ssh/authorized_keys” and full NETCONF control of the SD-WAN fabric. Discovered by Rapid7’s Stephen Fewer and Jonah Burgess; a Metasploit module ships with this post. Cisco has fixed it — upgrade now.

Windows Kernel EoP vulnerability CVE-2026-40369

CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation

CVE-2026-40369 is a Windows kernel bug in “nt!ExpGetProcessInformation” that lets any unprivileged process — including one inside Chrome’s renderer sandbox — increment three DWORDs at an attacker-chosen kernel address per syscall, with no race condition, no heap spray, and 100% determinism. This deep dive walks Ori Nimron’s full exploit chain: KASLR via the prefetch side-channel, arbitrary kernel “read” via “CmpLayerVersions” type confusion (built on the Windows UTF-8 conversion path), token-privilege bitmask increment to grant SeDebugPrivilege, code injection into a SYSTEM process, and a clean restore of “CmpLayerVersionCount” at the end. Rewritten from the canonical pwn2nimron.com writeup with all original IDA decompilations and the PoC reproduced verbatim.

Initial Ghidra interface before loading the shellcode sample

Ghidra Basics: Reverse-Engineering Cobalt Strike Shellcode and Extracting the C2 Server

A practical walkthrough of using Ghidra and x32dbg to disassemble a Cobalt Strike beacon shellcode, identify the PUSH/CALL EBP hash-then-dispatch pattern, resolve API hashes such as “0x726774c” (LoadLibraryA), “0xa779563a” (InternetOpenA) and “0xc69f8957” (InternetConnectA), recognise ROR13 as the hashing algorithm, and extract the C2 IP “195.211.98[.]91” from the decoded calls. Original rewrite of Matthew’s tutorial on embeeresearch.io with all 56 original screenshots preserved.