Lightnews — Scholar-powered news

Reposted by Frycos

m1tz @m1tzzz.bsky.social · 8d

Did you encounter the Supabase? Might wanna try my newest tooling or have a read about quickwins? There you go:
blog.m1tz.com/posts/2025/1...

A Hands-On Edition: Will Supabase Be the Next Firebase (At Least in Terms of Security)?

It all started with my good colleague @schniggie who’s got my attention with an X post earlier that year. Until then I rarely heared of Supabase, but let us start from the scratch. Firebase changed th...

blog.m1tz.com

1 2

Frycos @frycos.bsky.social · 22d

On your way to @brucon! Are you interested in technical discussions or would you like to know what makes our company so unique? Just talk to us.

1 3

Frycos @frycos.bsky.social · Sep 15

Tired of dull, standard interviews? Talk to Kurt. Also, a few of my colleagues and I will be attending BruCON next week. Feel free to come and talk to us.

codewhitesec.bsky.social @codewhitesec.bsky.social · Sep 15

CODE WHITE proudly presents #ULMageddon which is our newest applicants challenge at apply-if-you-can.com packaged as a metal festival. Have fun 🤘 and #applyIfYouCan

1 6

Frycos @frycos.bsky.social · Sep 3

New AI-generated "technical" blog posts are stealing my time. 🤬

2

Reposted by Frycos

Scary Jerry 👻👻💀🎃 @jerry.infosec.exchange.ap.brid.gy · Aug 29

Yes, there’s another phishing campaign contacting fediverse users to fill out a form to avoid being suspended or whatever. Stay calm and just report them and be sure to check the option to inform their home instance so the account gets suspended for everyone.

Also, please consider enabling […]

Original post on infosec.exchange

infosec.exchange

3 48 8

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · Aug 28

We always love a good challenge. That’s why we’re sponsoring the 10th FAUST CTF. Game on at 2025.faustctf.net

FAUST CTF 2025 | FAUST CTF 2025

FAUST CTF 2025 is an online attack-defense CTF competition run by FAUST, the CTF team of Friedrich-Alexander University Erlangen-Nürnberg

2025.faustctf.net

6 7

Reposted by Frycos

joern @jrn.bsky.social · Aug 19

Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]

1 23 4

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · Aug 5

We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec...

GitHub - codewhitesec/NewRemotingTricks: New exploitation tricks for hardened .NET Remoting servers

New exploitation tricks for hardened .NET Remoting servers - codewhitesec/NewRemotingTricks

github.com

4 4

Frycos @frycos.bsky.social · Jul 29

Wow, I wrote with an author of a cool VR blog post yesterday. Just asked for some more explanations and maybe references. Tl;dr: he couldn’t explain or elaborate because exactly this part of the blog was written by GPT…

2

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · Jul 14

We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg (on X) to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange.bsky.social

1 5 4

Frycos @frycos.bsky.social · Jun 17

A quick-and-dirty late night blog post on discovering an nday variant in Zyxel NWA50AX Pro devices

frycos.github.io/vulns4free/2...

Zyxel NWA50AX Pro - Discovery of an Nday Variant

Today was an eventful day thanks to many interesting blog posts, e.g. from my friends at watchTowr. So I thought, why not publish a small quick-and-dirty blog post myself about a story from last week?...

frycos.github.io

2 3

Frycos @frycos.bsky.social · Jun 16

Oh no, it's a variant of CVE-2024-29974...I accidentally found that a similar vuln affected Zyxel NWA50AX (Pro) and tested against devices (obviously) lacking the latest patches. This CVE was never publicly related to NWA50AX, though. Well, nice nday exercise then.

4

Frycos @frycos.bsky.social · Jun 14

B03701066A0F762E75BAA67816EDB223F8681C9444C34E0B768DE518268025A0

Am I on vacation in the mountains? Yes. Do they have network equipment there? Yes. Can I refrain from doing VR? No.

You know the drill: disclosure and blog post planned. 😄

5

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · May 13

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-...

CODE WHITE | Analyzing the Attack Surface of Ivanti's DSM

Ivanti's Desktop & Server Management (DSM) product is an old acquaintance that we have encountered in numerous red team and internal assessments. The main purpose of the product is the centralized dis...

code-white.com

9 9

Reposted by Frycos

halvarflake.bsky.social @halvarflake.bsky.social · May 3

If you are in the US and upset at the AfD being subject to more surveillance now:

The bar to be declared "in conflict with the democratic order" is *very* high. It is literally the AfD definition of "Germanness" by your ancestry, declaring ppl of other ancestries inferior, that did it, justifiedly.

1 7 60

Frycos @frycos.bsky.social · Apr 28

My blog post on some vulns in GFI MailEssentials

frycos.github.io/vulns4free/2...

GFI MailEssentials - Yet Another .NET Target

What is this product GFI MailEssentials all about? We’re living the future, right? So let’s ask the GFI AI.

frycos.github.io

7 7

Reposted by Frycos

Matt Johansen @mattjay.com · Apr 18

🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:

330 7.4K 14K

Frycos @frycos.bsky.social · Apr 16

That sums up my week's vacation pretty well. And I have to say, I like it.

2

Reposted by Frycos

Stephen Fewer @stephenfewer.bsky.social · Apr 10

We have just published our AttackerKB @rapid7.com Analysis of CVE-2025-22457, an unauthenticated stack based buffer overflow in Ivanti Connect Secure. Difficult to exploit due to severe character restrictions, we detail our full RCE technique here: attackerkb.com/topics/0ybGQ...

CVE-2025-22457 | AttackerKB

On April 3, 2025, Ivanti published an advisory for CVE-2025-22457, an unauthenticated remote code execution vulnerability due to a stack based buffer overflow.…

attackerkb.com

1 4 3

Reposted by Frycos

Flomb @fl0mb.bsky.social · Mar 31

blog.flomb.net/posts/ingres...

Exploiting IngressNightmare: A Deep Dive

Wiz recently discovered an unauthenticated remote code execution (RCE) vulnerability in the Ingress NGINX admission controller. I found the exploit chain particularly intriguing and decided to recreat...

blog.flomb.net

3 5

Frycos @frycos.bsky.social · Mar 30

This was a pretty cool online course by @voidstarsec I can recommend.

2

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · Mar 28

Our crew members @mwulftange.bsky.social & @frycos.bsky.social discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam 's blacklist for CVE-2024-40711 & CVE-2025-23120 + further entry points after @sinsinology.bsky.social & @chudypb.bsky.social 's blog. Replace BinaryFormatter!

6 9

Frycos @frycos.bsky.social · Mar 12

If you think code audits are driving you to the brink of insanity, try hardware hacking...

6

Reposted by Frycos

codewhitesec.bsky.social @codewhitesec.bsky.social · Feb 21

Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/...

Walkthrough 2023

apply-if-you-can.com

10 7

Frycos @frycos.bsky.social · Feb 7

This is a very unique, nice and small conference I can recommend. Good networking opportunities. ✌️

smaury @smaury.bsky.social · Feb 6

🗣️

TumpiCon @tumpicon.org · Feb 6

Hey hackers!
We’ve started sending out the first invites — check your inbox! 👀
Didn’t get one? Take the fast track and submit a talk!

1 6