Lightnews — Scholar-powered news

Stephen Fewer @stephenfewer.bsky.social · 9d

The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.

Stephen Fewer @stephenfewer.bsky.social · 9d

We just posted our AttackerKB @rapid7.com Analysis for the recent Cisco 0day chain; CVE-2025-20362 and CVE-2025-20333. Full technical root cause analysis of both the auth bypass and buffer overflow are here: attackerkb.com/topics/Szq5u...

CVE-2025-20362 | AttackerKB

On September 25, 2025, Cisco published advisories for two new vulnerabilities, CVE-2025-20362, and CVE-2025-20333, which are known to be exploited in-the-wild …

attackerkb.com

1 1 1

Stephen Fewer @stephenfewer.bsky.social · 21d

and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥

1 1 3

Stephen Fewer @stephenfewer.bsky.social · 21d

We have published our AttackerKB @rapid7.com Analysis for the recent GoAnywhere MFT vuln, CVE-2025-10035. It's an access control bypass + unsafe deserialization + an as-yet unknown issue in how an attacker can know a specific private key! attackerkb.com/topics/LbA9A...

CVE-2025-10035 | AttackerKB

On September 18, 2025, Fortra published a security advisory for a new vulnerability affecting their managed file transfer product, GoAnywhere MFT. The new vuln…

attackerkb.com

1 2 5

Reposted by Stephen Fewer

Rapid7 @rapid7.com · 22d

⚠️ Rapid7 has identified a permission bypass vuln. in multiple versions of #OnePlus OxygenOS installed on its Android smartphones.

When leveraged, any app on the device may read SMS/MMS data & metadata via the default Telephony provider. More in our blog: r-7.co/42EujlR

1 1

Stephen Fewer @stephenfewer.bsky.social · Aug 25

Come join @rapid7.com ! I’m hiring for a Senior Security Researcher to join our team. You'll get to work on n-day analysis, zero-day research, exploit development, and more - focusing on enterprise software and appliances. Fully remote in the UK, more details here: careers.rapid7.com/jobs/senior-...

Senior Security Researcher - United Kingdom

The Senior Security Researcher will drive vulnerability discovery and analysis within Rapid7’s Vulnerability Intelligence team. You’ll research zero-day and n-day threats, develop exploits, publish ro...

careers.rapid7.com

3

Stephen Fewer @stephenfewer.bsky.social · Jul 23

I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅

1

Stephen Fewer @stephenfewer.bsky.social · Jul 23

We now have a (draft) @metasploit-r7.bsky.social exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metas...

1 8 11

Stephen Fewer @stephenfewer.bsky.social · Jun 25

Our @metasploit-r7.bsky.social auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978), and then validate the creds: github.com/rapid7/metas...

1 5

Stephen Fewer @stephenfewer.bsky.social · Jun 25

Today @rapid7.com is disclosing 8 new vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: www.rapid7.com/blog/post/mu...

Rapid7

Rapid7 conducted a zero-day research project into multifunction printers (MFP) from Brother Industries, Ltd. This research resulted in the discovery of 8 new vulnerabilities.

www.rapid7.com

2 3

Stephen Fewer @stephenfewer.bsky.social · Jun 18

Today @rapid7.com disclosed two vulns affecting NetScaler Console and SDX, found by Senior Security Researcher Calum Hutton! 🎉 Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has not assigned a CVE for).

Rapid7 @rapid7.com · Jun 18

During root cause analysis for the #NetScaler Console vulnerability, CVE-2024-6235, Rapid7 discovered & disclosed to the vendor 2 additional high severity vulnerabilities.

Find exploitation details, remediation advice & more in a new blog: r-7.co/4efpR1S

2 3

Stephen Fewer @stephenfewer.bsky.social · May 27

A new @rapid7.com Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton 🔥 Affecting the Yii framework, this analysis details the root cause of CVE-2024-58136, and how it can be leveraged for RCE via a dirty file write to a log file. attackerkb.com/topics/U2Ddo...

CVE-2024-58136 | AttackerKB

Yii framework is a component-based MVC web application framework, providing developers with the building blocks to create complex web applications including mo…

attackerkb.com

2

Stephen Fewer @stephenfewer.bsky.social · Apr 10

This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...

GitHub - sfewer-r7/CVE-2025-22457

Contribute to sfewer-r7/CVE-2025-22457 development by creating an account on GitHub.

github.com

1

Stephen Fewer @stephenfewer.bsky.social · Apr 10

We have just published our AttackerKB @rapid7.com Analysis of CVE-2025-22457, an unauthenticated stack based buffer overflow in Ivanti Connect Secure. Difficult to exploit due to severe character restrictions, we detail our full RCE technique here: attackerkb.com/topics/0ybGQ...

CVE-2025-22457 | AttackerKB

On April 3, 2025, Ivanti published an advisory for CVE-2025-22457, an unauthenticated remote code execution vulnerability due to a stack based buffer overflow.…

attackerkb.com

1 4 3

Stephen Fewer @stephenfewer.bsky.social · Mar 7

A VM escape exploit chain, exploited in the wild as 0day ...well that's not something we see very often 👀

Rapid7 @rapid7.com · Mar 6

“The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor.” – @stephenfewer.bsky.social, Rapid7 principal security researcher

The latest on 3 #Broadcom #VMware zero-day vulns, via @techcrunch.com ⤵️

Broadcom urges VMware customers to patch ‘emergency’ zero-day bugs under active exploitation | TechCrunch

Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape

r-7.co

4 11

Reposted by Stephen Fewer

Metasploit @metasploit-r7.bsky.social · Mar 5

Root cause analysis of Sitecore XM + XP remote code execution CVE-2025-27218 via @rapid7.com's pen testing team attackerkb.com/assessments/...

machang-r7's assessment of CVE-2025-27218 | AttackerKB

On January 6, 2025, Sitecore published a security bulletin, SC2024-002-624693 , for a critical unauthenticated remote code execution (RCE) vulnerability affect…

attackerkb.com

5 8

Stephen Fewer @stephenfewer.bsky.social · Feb 13

Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...

Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) by sfewer-r7 · Pull Request #19877 · rapid7/metasploit-framework

Overview This pull request adds an unauthenticated RCE exploit module targeting BeyondTrust Privileged Remote Access & Remote Support, leveraging CVE-2024-12356 + CVE-2025-1094. CVE-2024-12356 ...

github.com

1 1

Stephen Fewer @stephenfewer.bsky.social · Feb 13

We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...

attackerkb.com

1 2 1

Stephen Fewer @stephenfewer.bsky.social · Feb 13

Today Rapid7 has disclosed CVE-2025-1094, a new PostgreSQL SQLi vuln we discovered while researching CVE-2024-12356 in BeyondTrust Remote Support. Untrusted inputs that have been safely character escaped could still generate SQLi under certain conditions: www.rapid7.com/blog/post/20...

CVE-2025-1094: PostgreSQL psql SQL injection (FIXED) | Rapid7 Blog

www.rapid7.com

1 4 2

Reposted by Stephen Fewer

Ron Bowes @iagox86.bsky.social · Jan 28

Process injection shenanigans are dear to my heart - it's one of the first things I ever learned in security.

Inspired by an Akamai blog last month, this blog digs into techniques to tinker with other processes on Linux, and show you how to write a little debugger in C!

GreyNoise Labs - How-To: Linux Process Injection

Ever wondered how to inject code into a process on Linux?

www.labs.greynoise.io

1 4

Reposted by Stephen Fewer

Caitlin Condon @catc0n.bsky.social · Jan 28

Root cause analysis of #SonicWall SSL VPN auth bypass CVE-2024-53704 available now c/o Ryan Emmons: attackerkb.com/topics/UB3P3...

CVE-2024-53704 | AttackerKB

On January 7, 2025, SonicWall announced an authentication bypass affecting SonicOS, the operating system used by many SonicWall appliances. This authentication…

attackerkb.com

4 6

Stephen Fewer @stephenfewer.bsky.social · Jan 23

100% this!! They're amazing 😃

1 2

Stephen Fewer @stephenfewer.bsky.social · Jan 16

PoC for CVE-2025-0282 targeting 22.7r2.4 can be found here: github.com/sfewer-r7/CV...

GitHub - sfewer-r7/CVE-2025-0282: PoC for CVE-2025-0282: A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways

PoC for CVE-2025-0282: A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways - sfewer-r7/CVE-2025-0282

github.com

1 2

Stephen Fewer @stephenfewer.bsky.social · Jan 16

Without a suitable info leak you have to brute force the 32bit base address of a shared library, and with 9 bits of entropy this can take upwards of 1.5 hours, although in practice it can be much quicker. Regardless of the time it takes to succeed, exploitation is reliable.

1 2

Stephen Fewer @stephenfewer.bsky.social · Jan 16

I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...

1 8 11