https://www.synacktiv.com/en.html en https://www.synacktiv.com/en/publications/surviving-the-surge-of-new-linux-lpe-defense-in-depth-not-dead.html Thanks to AI-assisted vulnerability research and kernel patch diffing that breaks "responsible disclosure" embargos, it's quite the overwhelming time for defenders. There's been a weekly reveal of new Linux critical vulnerabilities, with full exploit scripts made public days before patchs are widely available. Yet, most of the exploitation chains that have been recently published can be mitigated by tried-and-true Linux security hardening, giving wary defenders time to patch while N-day attackers try their shiny new ./exploit.sh. Let's review some of them ! Romain Huon https://www.synacktiv.com/en/publications/surviving-the-surge-of-new-linux-lpe-defense-in-depth-not-dead.html https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector-part-2-bypassing.html In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old, vulnerable firmware to the passive slot, reboot, and pop the debug shell. Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine. Every firmware image now carries a security ratchet value, and the updater refuses any image whose ratchet is lower than the one stored on the device. This second article describes how this anti-downgrade works, and how we bypassed it by abusing the order of operations between the partition table write and the slot erase, replaying the original Pwn2Own attack on a fully up-to-date charger. This is one of those vulnerabilities you find by hand, with a coffee, an IDA window, and zero help from a language model. Do you remember those old good days? David Berard https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector-part-2-bypassing.html https://www.synacktiv.com/en/publications/make-it-blink-over-the-air-exploitation-of-the-philips-hue-bridge.html The year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug, Home Assistant Green, and the Philips Hue Bridge. The attack scenario defined by the ZDI involved an adversary with access to services listening on the local network, or launching an attack via a proximity network (Wi-Fi, Bluetooth, Zigbee). This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network. Webmaster https://www.synacktiv.com/en/publications/make-it-blink-over-the-air-exploitation-of-the-philips-hue-bridge.html https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters. Our research finally puts an end to authentication reflection vulnerabilities targeting the SMB service. That said, this vulnerability class is not dead yet. Webmaster https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1.html A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following our analysis and the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This two-part blogpost will cover our journey to bypass the mitigations, which led to the discovery of two new authentication reflection vulnerabilities. In this first part, we will lay the foundation of our research, describe our methodology and disclose the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection. Webmaster https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1.html https://www.synacktiv.com/en/publications/say-hi-to-pike.html In this article we will introduce Pike, an experimental LLM agent that generates and analyzes Linux program execution traces. We will show that with its simple architecture paired with a good LLM, Pike can quickly help debug a crash, identify malware, or give valuable high level insights via a natural chat interface. Maxime Desbrus https://www.synacktiv.com/en/publications/say-hi-to-pike.html https://www.synacktiv.com/en/publications/hooking-windows-named-pipes.html During security assessments, we often see desktop applications composed of several processes. Some of them run as SYSTEM, and others run in the user session context, meaning they are unprivileged. These processes need to communicate in some way, and often use Windows Named Pipes as IPC mechanisms (Inter-Process-Communication). Once opened, named pipes are a (usually) bidirectional communication channel, just like TCP or Websocket, that may be used by a low privileged process to attack an elevated process. Thomas Borot https://www.synacktiv.com/en/publications/hooking-windows-named-pipes.html https://www.synacktiv.com/en/publications/kubernetes-forensics-13-what-the-container.html In 2025, Synacktiv CSIRT observed a significant rise in attacks and compromises targeting Kubernetes environments. The consensus is that these attacks are bound to keep expanding as much as the technology itself. To better understand how a Kubernetes cluster works and how to investigate one during a security incident, we decided to work on a series of articles about Kubernetes forensics. This one is the first of the series, focusing on the underlying container technology. Noam Leipold https://www.synacktiv.com/en/publications/kubernetes-forensics-13-what-the-container.html https://www.synacktiv.com/en/publications/exploring-cross-domain-cross-forest-rbcd.html The Resource-based Constrained Delegation (RBCD) attack is well-known from pentesters and attackers: by editing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a machine account, an attacker can impersonate users on said machine. Even though this attack mechanism has been thorougly documented on a single domain, and can be performed with Impacket or Rubeus, only a few resources mention its implementation on cross-domain and cross-forest environments. In this article, we present the cross-domain and cross-forest RBCD workflow, along with an Impacket script implementation to carry out these attacks. Webmaster https://www.synacktiv.com/en/publications/exploring-cross-domain-cross-forest-rbcd.html https://www.synacktiv.com/en/publications/deep-dive-into-the-deployment-of-an-on-premise-low-privileged-llm-server.html In 1826, children fantasized riding horses in the Wild West. In 1926, it was outrunning the law as a moonshiner. In 2026, managing distributed inference servers without leaking all the company data is surely a universal dream among the new generation. This article rewinds our journey deploying an on-premise LLM server, with a critical eye on the underlying stack security. Webmaster https://www.synacktiv.com/en/publications/deep-dive-into-the-deployment-of-an-on-premise-low-privileged-llm-server.html https://www.synacktiv.com/en/publications/mitmproxy-for-fun-and-profit-interception-and-analysis-of-application-traffic.html A solid understanding of the protocols used by applications is a necessary prerequisite when assessing application security. In recent projects, we have had to intercept various types of network traffic across different platforms, including Linux, Android, and iOS. The purpose of this article is to introduce the mitmproxy tool and how to use it, as well as the different techniques that can be implemented to effectively intercept these communications, while taking into account the specific characteristics of each environment. Webmaster https://www.synacktiv.com/en/publications/mitmproxy-for-fun-and-profit-interception-and-analysis-of-application-traffic.html https://www.synacktiv.com/en/publications/2025-winter-challenge-writeup.html Creating quines is a game that has always fascinated computer scientists. The journal Software: Practice and Experience dedicated an article to the subject in 1972—well before Intel released its first 32-bit x86 processor (1985). Even today, many enthusiasts continue to explore the intriguing universe of quines, such as Amy Burnett with her impressive JPEG Hash Quine or Yusuke Endoh’s legendary Uroboros Quine. In 2025, Synacktiv carried on this tradition by proposing two new variations of this type of puzzle: OCInception and Quinindrome. In this article, you will find the results of this latest winter challenge, alongside a breakdown of the winning solution and the most creative approaches. Webmaster https://www.synacktiv.com/en/publications/2025-winter-challenge-writeup.html https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHoundCommon, it is now possible to enumerate which privileges and logon rights are assigned to users and machines across the network and thus identify local privilege escalations paths. Webmaster https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025.html At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploitable heap layout; and abusing subtle behaviors of the vulnerable function to create powerful primitives. Ultimately, the exploit worked on the first attempt, though getting there was anything but simple. Webmaster https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025.html https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present compromise methods, addressing both common scenarios and less conventional ones. The purpose of this article is to present a range of the most commonly useful attack methods in Wi-Fi penetration testing. By improving the understanding of these attacks, we hope to raise awareness on the importance of Wi-Fi security for businesses. Webmaster https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling.html Livewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data types. However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution. Finally, our research uncovered a pre-authenticated remote code execution vulnerability in Livewire, exploitable even without knowledge of the application’s APP_KEY. By analyzing Livewire’s recursive hydration mechanism, we found that attackers could inject malicious synthesizers through the updates field in Livewire requests, leveraging PHP’s loose typing and nested array handling. This technique bypasses checksum validation, allowing arbitrary object instantiation and leading to full system compromise. Webmaster https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling.html https://www.synacktiv.com/en/publications/exploiting-anno-1404.html Anno 1404 is a strategy game developed by Related Designs and published by Ubisoft. It is a real-time strategy game that focuses on city management and construction. The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. During our research, we discovered several vulnerabilities that, when combined, allow for arbitrary code execution from within the multiplayer mode. Thomas Dubier https://www.synacktiv.com/en/publications/exploiting-anno-1404.html https://www.synacktiv.com/en/publications/activid-administrator-account-takeover-the-story-behind-hid-psa-2025-002.html In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods including push authentication, OTP, PKI credentials, and static credentials. In this article we will walk you through the methodology we used to discover HID-PSA-2025-002, an authentication bypass in the SOAP API that can lead to administrative access on the application. Webmaster https://www.synacktiv.com/en/publications/activid-administrator-account-takeover-the-story-behind-hid-psa-2025-002.html https://www.synacktiv.com/en/publications/2025-winter-challenge-quinindrome.html A few months have passed and the first snowflakes have fallen since the end of the Synacktiv Summer Challenge. This event was a success, with one of the participants even finding a zero-day vulnerability while working on his solution! Although it hasn't been made public yet, it will be covered in an upcoming article on the Synacktiv website. As winter is coming, it's now time to introduce the Synacktiv Winter Challenge! Join other participants in this code golf contest and send us your solution before January 1st 🏌️.  Webmaster https://www.synacktiv.com/en/publications/2025-winter-challenge-quinindrome.html https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.html This article documents our successful exploitation at Pwn2Own Ireland 2025 against the BeeStation Plus. We walk through the full vulnerability research process, including attack surface enumeration, code auditing, exploit development, and ultimately obtaining a root shell on the target. Webmaster https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.html https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites.html Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive much attention by the Active Directory offensive research community, comparatively to other ACL-based attack vectors. This article aims to demonstrate that not only do attack vectors targeting Active Directory sites exist, but that they can lead to impactful privilege escalation scenarios and to domain(s) compromise. We will describe a pull request that we submitted to the BloodHound project in order to enumerate Site ACL attack paths, and how to exploit those paths in an efficient way with the tools that we recently released, related to GPO-based exploit vectors. Said compromise scenarios may allow attackers to elevate their privileges, as well as move laterally within an Active Directory forest. Quentin Roland https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites.html https://www.synacktiv.com/en/publications/creating-a-two-face-rust-binary-on-linux.html In this article we will describe a technique to easily create a "Two-Face" Rust binary on Linux: an executable file that runs a harmless program most of the time, but will run a different, hidden code if deployed on a specific target host. This approach, which allows binding a binary to its environment, can be useful for a targeted malware payload or, more commonly, in a license protection mechanism. We will also detail how to make the "hidden" binary more difficult to inspect in memory. Maxime Desbrus https://www.synacktiv.com/en/publications/creating-a-two-face-rust-binary-on-linux.html https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack.html Bluetooth has always been an attractive target to attackers since it is present almost everywhere (TV, automotive charger, connected fridge, etc.). This is especially true on mobile devices, as it runs as a privileged process with a potential access to microphone, address book, etc.  In September and October 2023, Android published security bulletins addressing critical vulnerabilities in their Bluetooth stack (Fluoride), which could lead to remote code execution. CVE-2023-40129 is an integer underflow in the GATT protocol, which is accessible without authentication or user interaction. It was very challenging to exploit as it was causing a 64 KB heap overflow, acting like a tsunami devastating everything in its path, leading the Bluetooth process to an almost certain death. In this blogpost, we detail how we exploited this vulnerability on both Android native allocators: Scudo and Jemalloc. Webmaster https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack.html https://www.synacktiv.com/en/publications/quantum-readiness-hybridizing-key-exchanges.html Following our previous article on signatures hybridization, this article covers the basics of hybridizing your key exchanges to ensure maximal security of your data. Antoine Gicquel https://www.synacktiv.com/en/publications/quantum-readiness-hybridizing-key-exchanges.html https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis.html During a digital investigation related to the compromise of an AWS-hosted infrastructure, a stealthy backdoor targeting GNU/Linux systems was discovered. This backdoor features functionalities relying on the installation of two eBPF modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a "magic packet". This article details the capabilities of this rootkit and presents the infection chain observed in this case, which allowed its installation on several nodes of an AWS EKS environment. Webmaster https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis.html https://www.synacktiv.com/en/publications/llm-poisoning-13-reading-the-transformers-thoughts.html Your local LLM can hack you. This three-part series reveals how tiny weights edits can implant stealthy backdoors that stay dormant in everyday use, then fire on specific inputs, turning a "safe" offline model into an attacker. This article shows how transformers encode concepts and how to detect them in its internal activations. Webmaster https://www.synacktiv.com/en/publications/llm-poisoning-13-reading-the-transformers-thoughts.html https://www.synacktiv.com/en/publications/what-could-go-wrong-when-mysql-strict-sql-mode-is-off.html This article shows some examples of attacks that can abuse MySQL behavior when the strict SQL mode is disabled, especially when string characters are invalid in the current encoding. This happens when the encoding of the application (e.g. UTF-8) is wider than that of the database (e.g. ASCII). Webmaster https://www.synacktiv.com/en/publications/what-could-go-wrong-when-mysql-strict-sql-mode-is-off.html https://www.synacktiv.com/en/publications/quantum-readiness-hybridizing-signatures.html In light of new legal requirements being enacted in many countries for software providers to adopt hybrid post-quantum cryptography, Synacktiv has initiated research into these novel cryptographic algorithms. After having studied what makes post-quantum cryptography “post-quantum” in the previous articles, we now dissect the concept of hybridization, a vital mechanism for a safe transition. This first article focuses on hybridizing signature schemes, while a follow-up one will tackle key exchanges. Antoine Gicquel https://www.synacktiv.com/en/publications/quantum-readiness-hybridizing-signatures.html https://www.synacktiv.com/en/publications/appledbrs-a-research-support-tool-for-apple-platforms.html Over the years, research on Apple platforms has become significantly more complex, largely due to the numerous countermeasures deployed by the Cupertino company. To address this challenge during our missions on these platforms, we developed appledb_rs: an open-source tool (https://github.com/synacktiv/appledb_rs) that extracts data from IPSW files (archives containing Apple firmware) and organizes it in a structured way, facilitating exploration and analysis. Webmaster https://www.synacktiv.com/en/publications/appledbrs-a-research-support-tool-for-apple-platforms.html https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways.html The increasing hardening of traditional Windows components such as LSASS has pushed attackers to explore alternative entry points. Among these, web browsers have emerged as highly valuable targets since they are now the primary gateway to sensitive data and enterprise cloud services. Numerous secrets, including tokens and credentials, flows through browsers, and their compromise can provide attackers with extensive access across an organization. This article presents a little-known technique for compromising Chromium-based browsers within Windows domains by forcing the loading of arbitrary extensions. When successfully applied, this method results in complete browser compromise. Webmaster https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways.html