afine

CVE-2026-5958: GNU sed 4.1e through 4.9 has a TOCTOU race condition. Run sed -i --follow-symlinks, and an attacker swapping a symlink between readlink() and open() causes sed to read from one file and write to another.

Our researcher logged into an MDM console as a user with zero UI permissions and walked out with developer access to every managed phone in the fleet. Two GETs. CVE-2025-1415 + CVE-2025-1416 in Proget MDM. https://t.co/UAoBA4jzGy

Most pentest scopes skip the kiosk. It is a $16 billion industry processing payments and PII on machines in public lobbies. If your kiosks are on the corporate network and not in your test scope, that is the gap. Full writeup: https://t.co/cz2tRSod0n

We broke out of a bank lobby kiosk and ran a network scan. No segmentation. AD server, payment gateway, customer database - all reachable. Full internal access from a device anyone can walk up to.

Three CVEs in KioWare (CVE-2024-3459, CVE-2024-3460, CVE-2024-3461), plus a vendor patch bypass. The chain: brute-force the PIN, escape through a PDF viewer, escalate to SYSTEM. A $3 USB device starts it.

Full walkthrough - firmware extraction with binwalk, reverse engineering in Ghidra, QEMU emulation, GDB fork debugging, confirmed overflow: https://t.co/3uM9pmU0LA

On MIPS, the NOP instruction is 0x00000000. Four null bytes. The overflow goes through sprintf. Null bytes terminate the copy. Standard NOP sleds are dead on arrival.

He had to build a GDB reconnection workflow: - Set gdbserver to listen - Fire the HTTP request - Catch the forked CGI process before it exits - Re-attach on every single request

Our researcher pulled firmware off a consumer MIPS router, emulated it in QEMU, and found a pre-auth stack buffer overflow in the login handler. No canary. No NX. No PIE. Just kernel ASLR. CVE is pending. Here is what the full chain looked like.

The hardest part was not finding the bug. It was debugging it. The router runs CGI binaries - the HTTP server forks a new process per request. Process handles the request and exits. Your GDB session dies with it.

Four CVEs. Three attack chains. Each reaches the underlying Windows host through a different path. https://t.co/5aKigDr2LA Part 3 soon: what happens when a compromised kiosk sits on a corporate network.

Our researcher opened Notepad on a locked kiosk, clicked File > Open, and was looking at the entire Windows filesystem. No exploit. No special tools. A file dialog. CVE-2024-3460 in KioWare for Windows.

To deliver the payload we needed a trusted domain. The bank’s URL filter blocked our VPS. What got through: OWASP Juice Shop. XSS in an intentionally vulnerable security training app with a high-reputation domain.

For a full breakdown of a problem-solution approach, go there: https://t.co/MbwQaBtenf

Our research team pointed at line 8 in a file and said "this is the payload." Line 8 looked empty. It wasn't. 4,312 invisible Unicode characters - a full credential stealer that no editor, linter, or code review tool can display. That's GlassWorm.

The problem: every wave uses new package names, new extension IDs, new infrastructure. Signature-based detection is always one wave behind. So we built a scanner that detects the encoding technique itself. Open source. Offline. pip install glassworm-hunter https://t.co/Obnwai6zli