CVE-2025-8088 — Russia-Linked APTs Are Still Pwning Unpatched WinRAR Installs in Ukraine

CVE-2025-8088 — Russia-Linked APTs Are Still Pwning Unpatched WinRAR Installs in Ukraine

Eleven months after RarLab shipped WinRAR 7.13 to fix CVE-2025-8088, two Russia-aligned APT clusters (Earth Dahu / Gamaredon and SHADOW-EARTH-066 / UAC-0226) are still building fresh exploit samples for the path-traversal-via-NTFS-ADS bug. The two groups share an initial access vector and nothing else — one ships memory-resident compiled C++ stealers, the other pushes HTA+VBScript through Cloudflare Workers proxies — and both rely on the same structural failure: WinRAR has no auto-update and isn’t covered by enterprise patch management.

Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets

Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets

Meeting-room cameras and conference-room tablets are some of the least-monitored, most insecurely-configured attack surfaces in an enterprise. Spaceraccoon (Eugene Lim) walks through an unauthenticated RCE in Aver PTC320UV2 cameras (CVE-2026-26461), a command injection in the Crestron TSW-1060 console’s undocumented HDCP2XLOAD handler, a hardcoded Gingco app password leading to local file disclosure, and a weak DES-crypt admin-password scheme cracked in two seconds with Hashcat.

CVE-2018-8611 — Exploiting the Windows Kernel Transaction Manager (Part 1/5: Introduction)

CVE-2018-8611 — Exploiting the Windows Kernel Transaction Manager (Part 1/5: Introduction)

CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.

CuSafe — Catching Memory Corruption on Commodity NVIDIA GPUs

CuSafe — Catching Memory Corruption on Commodity NVIDIA GPUs (USENIX Security ’26)

CuSafe is a GPU memory sanitizer for off-the-shelf NVIDIA hardware. It combines pointer tagging with in-band buffer bounds via an LLVM 21 transform pass, ships in a 2 964–line implementation, catches every spatial and temporal bug in the authors’ 33-program test suite, and incurs an average 13% slowdown on 44 GPU workloads — including LLaMA2-7B and LLaMA3-8B inference — against compute-sanitizer’s 15× baseline.

Exploiting CVE-2024-1065 via the Page Cache — A Physical-Page UAF in the ARM Mali GPU Driver

CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.

Overcoming Space Restrictions with Egghunters in Windows Exploit Development — Savant Web Server 3.1, Syscall & SEH Egghunters, Heap Staging

Overcoming Space Restrictions with Egghunters in Windows Exploit Development — Savant Web Server 3.1, Syscall & SEH Egghunters, Heap Staging

When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.

Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1732): Walkthrough of the ConsoleControl Offset Confusion

Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1732): Walkthrough of the ConsoleControl Offset Confusion

CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.