AmberWolf

Full writeup, exploitation walkthroughs, and PoC on the blog: https://t.co/rwytRjESiL

NSIS is embedded in thousands of products. Any that launch a vulnerable installer from a privileged service could be affected. Both CVEs are patched - but silent patching from vendors means most customers never knew they were exposed.

We reported this in September 2025. Netskope restricted the unauthenticated routes in November 2025. Full write-up: https://t.co/WYLWSrjpUk (6/6)

🧵 Patch Bypass: Netskope Client for Windows — Local Privilege Escalation via Rogue Server (1/6)

Spin up a NachoVPN server on Azure App Service, reach it via rproxy, supply the hostname over IPC, and the allowlist check passes. SYSTEM shell in ~30 seconds. No changes to the original exploit chain required. (5/6)

👉 Full blog + demo: https://t.co/p4RE8ApDVu

🌌✨ The Saga Continues: MSI Strikes Back ✨🌌 TL;DR: Bypass for CVE-2024-12908 - Code execution via Delinea's protocol handler is back. Patch now!

A long time ago (well… last year), in a protocol handler not so far away, we showed how Delinea’s URL handler could be abused during update (CVE-2024-12908). We’ve now found a new path using msiexec’s PATCH to pull a remote MSP and execute code - even when the MSI is signed!

𝐉𝐮𝐬𝐭 𝐛𝐞𝐜𝐚𝐮𝐬𝐞 𝐢𝐭 𝐬𝐚𝐲𝐬 “𝐒𝐞𝐜𝐮𝐫𝐞” 𝐝𝐨𝐞𝐬 𝐧𝐨𝐭 𝐦𝐞𝐚𝐧 𝐢𝐭 𝐢𝐬 Authentication bypasses are not always just about going from unauthenticated to authenticated. What if other customers could gain access to your multi-tenant environment?

We also found all the credential material needed to exploit it available through OSINT, meaning the risk was not necessarily limited to other customers.