PSA update your INSTAR cameras. Our teammate Michael Imfeld identified a critical RCE (CVE-2025-8760) on 2k+ and 4K devices. Find the advisory here: modzero.com/en/advisorie...

A colleague of mine found exposed credentials potentially granting access to Synology Teams backups. Check the full analysis and scan your tenants for IOCs. #cybersecurity #infosec #disclosure modzero.com/en/blog/when...

Innenminister Dobrindt meint: Die Einstufung der AfD als „gesichert rechtsextrem” reicht nicht für ein Parteiverbot? Kein Problem – wir legen nach: Mit unserer Belegsammlung schaffen wir die Grundlage für ein umfassendes Gutachten zum AfD-Verbotsverfahren. Mehr dazu: fragdenstaat.de/aktionen/afd...

Both defenders and red teamers will be interested in this tool drop and deep dive into psexec from Aurélien. He, Michael, and Reino built susinternals that makes use of the Microsoft signed psexec service binary on the host instead of the more easily flagged RemCom. sensepost.com/blog/2025/ps...

ROPing our way to “Yay, RCE” - and a lesson in the importance of a good nights sleep! Follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http modzero.com/en/blog/ropi...

NEU: Hier ist das geheime Verfassungsschutz-Gutachten zur AfD in voller Länge. Fast 5000 Quellen hat die Behörde in den vergangenen Jahren ausgewertet, jetzt hat @netzpolitik.org das Gutachten veröffentlicht.

In Chrome: Object.values(this)[165].bind(this)()

This is a great post on bug bounty reddit! OP reported an IDOR, gets paid $2,000, and then realizes it never was IDOR. It's just a cached response...

Issue #2 joined the 'over 100K downloads' club. All thanks to you! Now Issue #4 is applying for a membership there, and it's not far from getting in :) Want to help? Tell your friends about us! pagedout.institute

I wrote a blog post about SSTI in Thymelaf - hopefully it helps some people pentesting up-to-date Spring Boot applications :)

(please re-post for reach - thank you!) Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share? Write a 1-page article for the #6 issue of Paged Out! :) pagedout.institute?page=cfp.php Soft deadline is Feb 1st.

My videos for Flare-On 2024 are live! Watch me reverse engineer all the challenges from start to end. 🎉🥳 + Commentary video featuring SuperFashi, where we review the chals together. * 45 hours of content * 400+ GB of raw footage Merry Christmas! Link: www.youtube.com/watch?v=vwW9...

Re-sharing to keep bluesky rolling go.bsky.app/EhGFSVj

Announcing GitHub Copilot Free! A new free tier for GitHub Copilot, available for everyone today in VS Code. No trial. No subscription. No credit card required. Learn more in our blog: aka.ms/copilot-free

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy! Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

I can highly recommend Shazzer from @garethheyes.co.uk, such a great tool for XSS research!

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/K...

Hello Bluesky 👋 We are an IT security company. Our team consists of like-minded hackers located in Germany and Switzerland. Our core areas of expertise are comprehensive technical security analyses, penetration tests and red teaming services. Want to learn more about us? Check: modzero.com/en/

During a #redteam at @modzero.bsky.social we discovered a limited but neat bypass for #printnightmare. I talked to @itm4n about it and he had an indepth look. Read about it here: itm4n.github.io/printnightma... #itsec