Security incident? Suspected breach? 09 71 18 27 69csirt@synacktiv.com

Publications

KYC : Bypass age verification using generative video models

06/07/2026
Pentest
Historically reserved for the banking sector, the KYC (Know Your Customer) process is now making its way into many online services, driven by increasingly strict legislation on anonymity and age verification. To comply, platforms deploy significant measures aimed at guaranteeing the "proof of life" of the user behind their webcam or smartphone. However, the meteoric rise of generative video AI models completely reshuffles the deck, offering attackers formidable and accessible tools to fool these systems. The French PVID framework aims...

Exploring cross-domain & cross-forest RBCD: part 2

02/07/2026
Pentest
Kerberos delegation capabilities in Linux-based tooling have been extended to allow impersonating any user within a forest. This assumed identity can then be leveraged to access resources across any domain within that forest, or even in a remote forest, provided that a trust relationship exists and appropriate delegation rights are configured. This article provides a deep dive into recursive Kerberos delegation exchanges through complex multi-domain chains. Finally, we demonstrate the feasibility of the SPN-less RBCD attack in both cr...

Caught in the Octopus Trap: Unauthenticated RCE in Argo CD with CodeQL

01/07/2026
Pentest
Synacktiv has discovered an unauthenticated arbitrary code execution vulnerability in ArgoCD's repo-server component, potentially allowing full cluster compromise. This article explains how the vulnerability was identified using CodeQL, details the exploitation process to gain control over the underlying Kubernetes cluster, and introduces a tool for automating the attack.

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part ②

30/04/2026
Pentest
In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters. Our research finally puts an end to authentication reflection vulnerabilities targe...

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1

27/04/2026
Pentest
A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following our analysis and the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This two-part blogpost will cover our journey to bypass the mitigations, which led to the discovery of two new authe...

Hooking Windows Named Pipes

21/04/2026
Pentest
During security assessments, we often see desktop applications composed of several processes. Some of them run as SYSTEM, and others run in the user session context, meaning they are unprivileged. These processes need to communicate in some way, and often use Windows Named Pipes as IPC mechanisms (Inter-Process-Communication). Once opened, named pipes are a (usually) bidirectional communication channel, just like TCP or Websocket, that may be used by a low privileged process to attack an elevated process.

Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound

02/02/2026
Pentest
Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHound...

Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025

14/01/2026
Pentest
Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present compromise methods, addressing both common scenarios and less conventional ones. The purpose of this article is to present a range of the most commonly useful attack methods in Wi-Fi penetration testing. By improving the understanding of these attacks, we hope ...

Livewire: remote command execution through unmarshaling

23/12/2025
Pentest
Livewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data types. However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire...

ActivID administrator account takeover : the story behind HID-PSA-2025-002

12/12/2025
Pentest
In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods including push authentication, OTP, PKI credentials, and static credentials. In this article we will walk you through the methodology we used to discover HID-PSA-2025-002, an authentication bypass in the SOAP API that can lead to administrative access on the applica...