In October 2025, I discovered CVE-2025-12744, a local privilege escalation affecting Fedora Linux. This post details how I chained a 12-byte command injection in the ABRT daemon into a three-stage exploit to escape the systemd sandbox and gain root.
Ride the Lightning is a popular add on for Bitcoin full-node distributions like Umbrel. A recent bug would have allowed remote attackers to empty Bitcoin wallets via malicious JavaScript, due to an overly permissive HTTP CORS header.
The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users’ permission, and conducting activities allowed by the intent.
Google Cloud Platform provides OS Login for managing SSH access to compute instance using IAM roles. I discovered multiple ways to escalate privileges from the non-administrative IAM role to the administrative one. These vulnerabilities manifest as local root exploits, allowing non-administrative users to execute commands as the root user.
Unauthenticated attackers on a local network can force stock Windows systems to perform arbitrary HTTP GET requests, including to the target’s localhost interface. No user interaction is required. No IIS installation is required.
Linux systems running LXD are vulnerable to privilege escalation via multiple attack paths, two of which are published in my lxd_root GitHub repository. This blog will go into the details of what I think is a very interesting path - abusing relayed UNIX socket credentials to speak directly to systemd’s private interface.
In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.
I found an interesting way to achieve remote code execution on a recent test. I ended up submitting a detailed description of manual exploitation to the vendor, and I thought it might be interesting to share here.
I noticed a nice, cheap, low-tech alternative to badge cloning on a recent physical security engagement and thought I’d share. This post is going to be short and sweet.
When performing social engineering engagements, it’s tricky to find a payload that demonstrates the gravity of the attack without going full-on red team and shelling boxes. I’ve developed something for a recent test that I think finds a nice balance - an Excel macro that will take a screenshot of the user’s desktop and leverage their local Outlook profile to email it back to a predefined address.