Publications

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

10/07/2025 This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation.

From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app

08/07/2025 In this article, we will go through some vulnerabilities we found in an Android application, allowing us to take control of a recent smartphone by faking the drone itself.

Exploiting the Tesla Wall connector from its charge port connector

17/06/2025 In January 2025, we participated in Pwn2Own Automotive with multiple targets. One of them was the Tesla Wall Connector — the home charger for electric vehicles (including non-Tesla ones). We presented an attack that used the charging connector as the entry point, communicating with the charger using a non-standard protocol (for this type of application). We exploited a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the c...

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

11/06/2025 For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

Exploiting Heroes of Might and Magic V

10/06/2025 Heroes of Might and Magic V is a turn-based strategy video game developed by Nival Interactive.  A map editor is provided with the video game. Players can create maps that can be played in solo or multiplayer. This is an interesting attack vector. In this article we will see how to execute malicious code from a Heroes of Might and Magic V maps.

Open-source toolset of an Ivanti CSA attacker

12/05/2025 In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient detection capabilities.

CVE-2025-23016 - Exploiting the FastCGI library

23/04/2025 At the beginning of 2025, as part of our internal research, we discovered a vulnerability in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how and in what context this vulnerability can be exploited. Finally, we'll see how to protect against it.

iOS 18.4 - dlsym considered harmful

10/04/2025 Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using dlsym(). This blogpost details our observations and the root cause of the problem.

Hack the channel: A Deep Dive into DVB Receiver Security

08/04/2025 Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article, we’ll dive into the internals of the protocol and the flaws in its implementation.

Exploiting Neverwinter Nights

10/03/2025 Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode.