Piotr Bazydło
@chudypb.bsky.social
Principal Vulnerability Researcher at the watchTowr | Previously: @thezdi | https://chudypb.github.io
Pinned
Piotr Bazydło
@chudypb.bsky.social
· Dec 19
OffensiveCon24 - Piotr Bazydlo - Half Measures and Full Compromise
YouTube video by OffensiveCon
www.youtube.com
[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Reposted by Piotr Bazydło
But I thought Microsoft said it wasn't worth fixing? "Microsoft classified this as low severity and this will not be patched in the immediate future." arcticwolf.com/resources/bl...
UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities - Arctic Wolf
Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nation...
arcticwolf.com
October 30, 2025 at 7:42 PM
But I thought Microsoft said it wasn't worth fixing? "Microsoft classified this as low severity and this will not be patched in the immediate future." arcticwolf.com/resources/bl...
I've done small (but fun) .NET Framework research, and I found a new exploitation primitive (vulnerable behavior). In many cases, it may directly lead to RCE.
I'll discuss it during Black Hat EU and I'll drop a paper afterwards 🫡
www.blackhat.com/eu-25/briefi...
I'll discuss it during Black Hat EU and I'll drop a paper afterwards 🫡
www.blackhat.com/eu-25/briefi...
Black Hat
Black Hat
www.blackhat.com
September 18, 2025 at 8:55 AM
I've done small (but fun) .NET Framework research, and I found a new exploitation primitive (vulnerable behavior). In many cases, it may directly lead to RCE.
I'll discuss it during Black Hat EU and I'll drop a paper afterwards 🫡
www.blackhat.com/eu-25/briefi...
I'll discuss it during Black Hat EU and I'll drop a paper afterwards 🫡
www.blackhat.com/eu-25/briefi...
Research is fun. One month ago, I thought that I'll never again make a research as good as my .NET deserialization one.
Here I am today, writing a new whitepaper. You never know the day 😅
Here I am today, writing a new whitepaper. You never know the day 😅
August 5, 2025 at 4:01 PM
Research is fun. One month ago, I thought that I'll never again make a research as good as my .NET deserialization one.
Here I am today, writing a new whitepaper. You never know the day 😅
Here I am today, writing a new whitepaper. You never know the day 😅
I did my first 1daying ride with my friend Sonny. Enjoy🫡
Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.
labs.watchtowr.com/expression-p...
Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.
labs.watchtowr.com/expression-p...
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest...
labs.watchtowr.com
May 15, 2025 at 3:08 PM
I did my first 1daying ride with my friend Sonny. Enjoy🫡
Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.
labs.watchtowr.com/expression-p...
Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.
labs.watchtowr.com/expression-p...
Some serious question about a larg-scale usage of AI in Vuln Research.
Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.
If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.
Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.
If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.
March 29, 2025 at 6:55 PM
Some serious question about a larg-scale usage of AI in Vuln Research.
Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.
If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.
Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.
If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.
😉
Our crew members @mwulftange.bsky.social & @frycos.bsky.social discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam 's blacklist for CVE-2024-40711 & CVE-2025-23120 + further entry points after @sinsinology.bsky.social & @chudypb.bsky.social 's blog. Replace BinaryFormatter!
March 28, 2025 at 7:38 PM
😉
It seems that our Veeam CVE-2025-23120 post is live.
I would never do this research without @SinSinology He insisted a lot, thx man. 😅
If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple.
labs.watchtowr.com/by-executive...
I would never do this research without @SinSinology He insisted a lot, thx man. 😅
If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple.
labs.watchtowr.com/by-executive...
By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
It’s us again!
Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in ...
labs.watchtowr.com
March 20, 2025 at 7:53 AM
It seems that our Veeam CVE-2025-23120 post is live.
I would never do this research without @SinSinology He insisted a lot, thx man. 😅
If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple.
labs.watchtowr.com/by-executive...
I would never do this research without @SinSinology He insisted a lot, thx man. 😅
If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple.
labs.watchtowr.com/by-executive...
My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎
labs.watchtowr.com/bypassing-au...
labs.watchtowr.com/bypassing-au...
Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’.
Joining th...
labs.watchtowr.com
March 17, 2025 at 12:45 PM
My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎
labs.watchtowr.com/bypassing-au...
labs.watchtowr.com/bypassing-au...
Great news: I got invited to Microsoft Zero Day Quest onsite event.
Bad news: It overlaps with my kid's estimated due date 😅
Happy hacking to all of you who's planning to go to Redmond 😎
Bad news: It overlaps with my kid's estimated due date 😅
Happy hacking to all of you who's planning to go to Redmond 😎
February 13, 2025 at 1:27 PM
Great news: I got invited to Microsoft Zero Day Quest onsite event.
Bad news: It overlaps with my kid's estimated due date 😅
Happy hacking to all of you who's planning to go to Redmond 😎
Bad news: It overlaps with my kid's estimated due date 😅
Happy hacking to all of you who's planning to go to Redmond 😎
How long does it take for MITRE to reserve a CVE now?
I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔
I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔
January 31, 2025 at 8:49 PM
How long does it take for MITRE to reserve a CVE now?
I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔
I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔
I had a blast during my first month at watchTowr :)
January 28, 2025 at 3:47 PM
I had a blast during my first month at watchTowr :)
Reposted by Piotr Bazydło
This year again, I am lucky enough to get nominated twice for the Top Ten Hacking Techniques, for my research on iconv and PHP, and lightyear. This time feels a bit special however, as these are my last blog posts on ambionics.
www.ambionics.io/blog/iconv-c...
www.ambionics.io/blog/lightye...
www.ambionics.io/blog/iconv-c...
www.ambionics.io/blog/lightye...
January 16, 2025 at 7:42 AM
This year again, I am lucky enough to get nominated twice for the Top Ten Hacking Techniques, for my research on iconv and PHP, and lightyear. This time feels a bit special however, as these are my last blog posts on ambionics.
www.ambionics.io/blog/iconv-c...
www.ambionics.io/blog/lightye...
www.ambionics.io/blog/iconv-c...
www.ambionics.io/blog/lightye...
I'm happy to be on the nominations list second year in the row! This time, it's with "Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting" research and some nice RCE chains on Exchange:)
chudypb.github.io/exchange-powershell.html
chudypb.github.io/exchange-powershell.html
January 15, 2025 at 6:37 PM
I'm happy to be on the nominations list second year in the row! This time, it's with "Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting" research and some nice RCE chains on Exchange:)
chudypb.github.io/exchange-powershell.html
chudypb.github.io/exchange-powershell.html
I'm happy to announce that I have recently joined watchTowr as a Principal Vulnerability Researcher. The break is over, it's time to do some new research 🫡
January 7, 2025 at 1:08 PM
I'm happy to announce that I have recently joined watchTowr as a Principal Vulnerability Researcher. The break is over, it's time to do some new research 🫡
Does anyone use 34" 21:9 screen?
Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔
Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔
December 28, 2024 at 9:27 AM
Does anyone use 34" 21:9 screen?
Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔
Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔
After amazing (almost) 3 years, this is my last day at @thezdi.bsky.social. Huge thanks to the entire team, it was an honour to work with you folks!
New challenges and adventures are starting in 2025 :)
PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.
New challenges and adventures are starting in 2025 :)
PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.
December 20, 2024 at 12:06 PM
After amazing (almost) 3 years, this is my last day at @thezdi.bsky.social. Huge thanks to the entire team, it was an honour to work with you folks!
New challenges and adventures are starting in 2025 :)
PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.
New challenges and adventures are starting in 2025 :)
PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.
[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
HEXACON2023 - Exploiting Hardened .NET Deserialization by Piotr Bazydło
YouTube video by Hexacon
www.youtube.com
December 19, 2024 at 11:39 AM
[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
[3/n] I've followed OffensiveCon talk with a series of 4 blog posts. The most interesting one describes a nice chain of 3 gadgets:
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details. In this...
www.zerodayinitiative.com
December 19, 2024 at 11:37 AM
[3/n] I've followed OffensiveCon talk with a series of 4 blog posts. The most interesting one describes a nice chain of 3 gadgets:
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
OffensiveCon24 - Piotr Bazydlo - Half Measures and Full Compromise
YouTube video by OffensiveCon
www.youtube.com
December 19, 2024 at 11:34 AM
[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Zero Day Initiative — CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities ar...
www.zerodayinitiative.com
December 19, 2024 at 11:32 AM
[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
In his latest blog, @chudypb.bsky.social covers a pre-auth Arbitrary File Deletion bug he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to an LPE on domain-joined Windows machines. Read the details at www.zerodayinitiative.com/blog/2024/12...
Zero Day Initiative — SolarWinds Access Rights Manager: One Vulnerability to LPE Them All
Some time ago, I spent some time researching a core SolarWinds product, SolarWinds Platform (previously Orion Platform). At that time, I hadn’t been aware of the SolarWinds Access Right Manager produc...
www.zerodayinitiative.com
December 12, 2024 at 6:03 PM
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
Reposted by Piotr Bazydło
Rapid7 has disclosed the vulns from our exploit chain targeting the Lorex 2K Indoor Wi-Fi Security Camera, which we entered at this year's Pwn2Own Ireland. A 2 phase exploit, built upon 5 vulns - phase 1 is an auth bypass, whilst phase 2 is RCE. Disclosure, analysis and exploit here: t.co/J9VDwMDRsI
https://www.rapid7.com/blog/post/2024/12/03/lorex-2k-indoor-wi-fi-security-camera-multiple-vulnerabilities-fixed/
t.co
December 4, 2024 at 9:32 AM
Rapid7 has disclosed the vulns from our exploit chain targeting the Lorex 2K Indoor Wi-Fi Security Camera, which we entered at this year's Pwn2Own Ireland. A 2 phase exploit, built upon 5 vulns - phase 1 is an auth bypass, whilst phase 2 is RCE. Disclosure, analysis and exploit here: t.co/J9VDwMDRsI
Great post! BTW, thanks for the shout-out Steven :)
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 29, 2024 at 6:48 PM
Great post! BTW, thanks for the shout-out Steven :)