Publications

Laravel: APP_KEY leakage analysis

10/07/2025
Tools
Pentest
In November 2024, Mickaël Benassouli and I talked about vulnerability patterns based on Laravel encryption at Grehack. Although, each discovered vulnerability requires access to a Laravel secret: the APP_KEY, we emphasized the security risks involved and highlighted how this secret is often insecurely exposed in public projects. The story did not stop there, we gathered a huge chunk of APP_KEY and developed a new tool to identify vulnerable patterns from a set of publicly exposed Laravel applications. This blog post sums up our...

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

10/07/2025
Hardware
Exploit
Reverse-engineering
This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation.

Exploiting the Tesla Wall connector from its charge port connector

17/06/2025
Hardware
Exploit
Reverse-engineering
In January 2025, we participated in Pwn2Own Automotive with multiple targets. One of them was the Tesla Wall Connector — the home charger for electric vehicles (including non-Tesla ones). We presented an attack that used the charging connector as the entry point, communicating with the charger using a non-standard protocol (for this type of application). We exploited a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the c...

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

11/06/2025
Pentest
For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

Exploiting Heroes of Might and Magic V

10/06/2025
Exploit
Heroes of Might and Magic V is a turn-based strategy video game developed by Nival Interactive.  A map editor is provided with the video game. Players can create maps that can be played in solo or multiplayer. This is an interesting attack vector. In this article we will see how to execute malicious code from a Heroes of Might and Magic V maps.

Open-source toolset of an Ivanti CSA attacker

12/05/2025
CSIRT
In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient detection capabilities.

CVE-2025-23016 - Exploiting the FastCGI library

23/04/2025
Exploit
At the beginning of 2025, as part of our internal research, we discovered a vulnerability in the FastCGI lightweight web server development library. In this article, we'll take a look at the inner workings of the FastCGI protocol to understand how and in what context this vulnerability can be exploited. Finally, we'll see how to protect against it.

iOS 18.4 - dlsym considered harmful

10/04/2025
Reverse-engineering
Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using dlsym(). This blogpost details our observations and the root cause of the problem.

Hack the channel: A Deep Dive into DVB Receiver Security

08/04/2025
Hardware
Reverse-engineering
Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article, we’ll dive into the internals of the protocol and the flaws in its implementation.