Stephen Fewer
@stephenfewer.bsky.social
Senior Principal Security Researcher at @rapid7.com. Specializing in software vulnerabilities and exploitation. stephenfewer.github.io
The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
October 6, 2025 at 8:39 AM
The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥
September 24, 2025 at 1:35 PM
and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥
I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅
July 23, 2025 at 5:06 PM
I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
GitHub - sfewer-r7/CVE-2025-22457
Contribute to sfewer-r7/CVE-2025-22457 development by creating an account on GitHub.
github.com
April 10, 2025 at 6:20 PM
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) by sfewer-r7 · Pull Request #19877 · rapid7/metasploit-framework
Overview
This pull request adds an unauthenticated RCE exploit module targeting BeyondTrust Privileged Remote Access & Remote Support, leveraging CVE-2024-12356 + CVE-2025-1094.
CVE-2024-12356 ...
github.com
February 13, 2025 at 4:05 PM
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...
attackerkb.com
February 13, 2025 at 4:05 PM
We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...