I'm excited to finally share Chronomaly, a kernel exploit for Android and Linux kernels 5.10.x using CVE-2025-38352.
As a reminder, please patch your Android devices if you haven't already!
I recommend getting some 🍿 before reading this post 👀
All links in the thread below:
Made an exploit for Net-SNMP's snmptrapd buffer overflow (CVE-2025-68615) due to missing type and bound checks. Though not exploitable due to ASLR/stack canaries. Quite interesting!
Blog: https://t.co/7XfPXAPtoR
PoC: https://t.co/Vya5FaSccN
Credit: buddurid (ZDI-25-1181)
Passed my BSCP certification with just 25 day preparation, preparation was great with PortSwigger's Lab challenges. Exam was quite a ride but definitely doable. Created a repository with all the payloads and techniques I encountered while preparing. https://t.co/sg9wC9zKpa
#bscp
Someone found an RCE on my website yesterday.
CVE-2025-55182.
React2Shell.
I don't have a bug bounty program.
I never asked for a security assessment.
I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty."
Bounty?
I checked my logs.
Forty-seven requests to my RSC endpoint.
Something, something ... Prototype pollution payloads.
They used the GitHub script.
The one with 2,000 stars.
The one that runs id automatically "for verification purposes."
They spawned a shell on my production server.
uid=1001(nextjs) gid=65533(nogroup)
They took a screenshot.
They posted it on Twitter.
"Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO"
They got 84781 likes.
My customers' data was on that server.
I asked them to delete the screenshots.
They said "I removed the domain name, you should be thanking me."
Thanking them.
For unauthorized access to my production infrastructure.
For running arbitrary commands on systems I own.
For posting proof of exploitation for clout.
They called it "responsible disclosure."
I called my lawyer.
They called me "ungrateful."
I called the FBI.
Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing."
A pen what?
I understand it perfectly.
I understand that running https://t.co/C6kmBequB5 against random websites isn't research.
I understand that "I removed the identifying info" doesn't undo the unauthorized access.
I understand that #BugBounty doesn't apply when there's no bounty program.
I understand that finding my site on Shodan doesn't constitute authorization.
Their followers are defending them now.
"Presumption of innocence."
"You don't know if it was authorized."
"The screenshots were redacted."
Three hundred people are calling me a bootlicker for reporting a crime.
Someone said I should be grateful they didn't deploy a cryptominer.
The bar is underground.
I just wanted to run a small Next.js app.
I didn't ask to be someone's proof-of-concept.
I didn't consent to being their "first"
I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account.
There is no safe harbor for spraying public exploits at random websites.
There is no legal protection for "I was just verifying the vulnerability."
There is no ethical framework where unauthorized prototype pollution is a favor.
But sure.
Thank you for your service.
You found a CVE that was already public.
Using a tool someone else wrote.
Against a target that never authorized you.
And you posted about it on main.
For likes.
Hero.
It also has auto diff in case you missed that fetches DLLs + runs diffs automatically, saving manual effort.
Heuristic-based detection for binaries without symbols is now supported, we are continuing to improve on that front with every update. [2/2]
@nicolaipre@gh0stbyt3@HexRaysSA That's something we have to try, we mostly used windows drivers and they're not that big. I have a perfect one to test this out, will definitely test and update. Thank you!
Teaming with @gh0stbyt3, we built DiffRays for headless IDA (@HexRaysSA) decompilation. It stores decompiled code in a SQLite DB and provides a Web UI for diffing between the stored functions. Built for vuln research.
https://t.co/U6RzM3XcXk
#pwnfuzz
@Void_Sec@gh0stbyt3@HexRaysSA Thanks for asking! So, BinDiff works on disassembly and Diaphora integrates with IDA plugin. DiffRays instead uses pseudocode via headless IDA, with CLI+web for portable/collab use and gives clear visualization of the metrics and simplified navigation.
This is absolute good, as an individual researcher, one wouldn't normally think of setting up the a honeypot and monitor it, spent around 3 nights to came up with exploit only to be outsmarted, this is absolute great! Awesome work as usual!
"Teach a hacker to find vulnerabilities, and they might find a couple. Teach a hacker to steal warez from another idiot, and they will feast for eternity"
Enjoy our analysis of CrushFTP's CVE-2025-54309, fueled by watchTowr's Attacker Eye
https://t.co/G2lHM4ASpd
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
I made this tool that checks if drivers from https://t.co/QABNdVCnBU are blocked by HVCI. It helps identify vulnerable drivers not blocked by Windows Hypervisor Code Integrity policy to find suitable BYOVD candidates.
Tool: https://t.co/57NDRuKiby
#BYOVD#HVCI#Cybersecurity
Never assume you've understood a bug report correctly unless you've written a PoC for it (or an exploit if one is present). You'll be surprised to catch your slightest misunderstanding of a verbal description of an issue and it'll make you question your ability to read.
Developed an exploit for CVE-2025-21333 (quite unreliable): vulnerability in vkrnlintvsp.sys. Exploit code: https://t.co/PU1ZYSefnJ
Exploits a paged pool overflow overwriting a _IOP_MC_BUFFER_ENTRY*. Hope you find it useful in case not already shown🙂.