Publications

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part ②

30/04/2026 In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters. Our research finally puts an end to authentication reflection vulnerabilities targe...

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1

27/04/2026 A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following our analysis and the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This two-part blogpost will cover our journey to bypass the mitigations, which led to the discovery of two new authe...

Hooking Windows Named Pipes

21/04/2026 During security assessments, we often see desktop applications composed of several processes. Some of them run as SYSTEM, and others run in the user session context, meaning they are unprivileged. These processes need to communicate in some way, and often use Windows Named Pipes as IPC mechanisms (Inter-Process-Communication). Once opened, named pipes are a (usually) bidirectional communication channel, just like TCP or Websocket, that may be used by a low privileged process to attack an elevated process.

Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound

02/02/2026 Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHound...

Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025

14/01/2026 Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present compromise methods, addressing both common scenarios and less conventional ones. The purpose of this article is to present a range of the most commonly useful attack methods in Wi-Fi penetration testing. By improving the understanding of these attacks, we hope ...

Livewire: remote command execution through unmarshaling

23/12/2025 Livewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data types. However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire...

ActivID administrator account takeover : the story behind HID-PSA-2025-002

12/12/2025 In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods including push authentication, OTP, PKI credentials, and static credentials. In this article we will walk you through the methodology we used to discover HID-PSA-2025-002, an authentication bypass in the SOAP API that can lead to administrative access on the applica...

Site Unseen: Enumerating and Attacking Active Directory Sites

05/11/2025 Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive much attention by the Active Directory offensive research community, comparatively to other ACL-based attack vectors. This article aims to demonstrate that not only do attack vectors targeting Active Directory sites exist, but that they can lead to impactful pr...

What could go wrong when MySQL strict SQL mode is off?

02/10/2025 This article shows some examples of attacks that can abuse MySQL behavior when the strict SQL mode is disabled, especially when string characters are invalid in the current encoding. This happens when the encoding of the application (e.g. UTF-8) is wider than that of the database (e.g. ASCII).

The Phantom Extension: Backdooring chrome through uncharted pathways

23/09/2025 The increasing hardening of traditional Windows components such as LSASS has pushed attackers to explore alternative entry points. Among these, web browsers have emerged as highly valuable targets since they are now the primary gateway to sensitive data and enterprise cloud services. Numerous secrets, including tokens and credentials, flows through browsers, and their compromise can provide attackers with extensive access across an organization. This article presents a little-known technique for compromising Chromium-based browsers wi...