Publications

Exploiting the Tesla Wall connector from its charge port connector

17/06/2025 In January 2025, we participated in Pwn2Own Automotive with multiple targets. One of them was the Tesla Wall Connector — the home charger for electric vehicles (including non-Tesla ones). We presented an attack that used the charging connector as the entry point, communicating with the charger using a non-standard protocol (for this type of application). We exploited a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the c...

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

11/06/2025 For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

Exploiting Heroes of Might and Magic V

10/06/2025 Heroes of Might and Magic V is a turn-based strategy video game developed by Nival Interactive.  A map editor is provided with the video game. Players can create maps that can be played in solo or multiplayer. This is an interesting attack vector. In this article we will see how to execute malicious code from a Heroes of Might and Magic V maps.

Open-source toolset of an Ivanti CSA attacker

12/05/2025 In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient detection capabilities.

CVE-2025-23016 - Exploiting the FastCGI library

23/04/2025 At the beginning of 2025, as part of our internal research, we discovered a vulnerability in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how and in what context this vulnerability can be exploited. Finally, we'll see how to protect against it.

iOS 18.4 - dlsym considered harmful

10/04/2025 Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using dlsym(). This blogpost details our observations and the root cause of the problem.

Hack the channel: A Deep Dive into DVB Receiver Security

08/04/2025 Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article, we’ll dive into the internals of the protocol and the flaws in its implementation.

Exploiting Neverwinter Nights

10/03/2025 Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode.

Case Study: How Hunters International and friends target your hypervisors

05/03/2025 Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly available statistics, Hunters International and its affiliates have 'hunted' at least 280 organizations, exfiltrating or encrypting data (or both). This article will describe their capabilities in a ransomware case we encountered, with a focus on the large-scale deployment of a VMWare ESXi encryptor.

Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav

26/02/2025 When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients support integrity mechanisms such as signing. HTTP authentications, on the other hand, are more interesting for attackers. The lack of integrity checking support in NTLM makes it possible to relay them to sensitive services such ...