Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Extremaly quick AD takeover during Insider Threat audit

Jakub Żoczek

05 December, 2025

Insider Threat is a type of security test in which an auditor acts as a malicious employee and attempts to attack the organization from the inside. In this way, internal threats can be detected that the company might face in the event of an employee's workstation access being compromised, as well as the potential risk when the employee themselves has malicious intentions. The client provides a workstation configured identically to other employee workstations, as well as additional credentials that allow connection to email systems, the Intranet, or VPN. In other words - an artificial employee is created whose goal is to detect vulnerabilities, exfiltrate sensitive data, or - if possible - take control of the network or key servers.

READ article

Illustration of Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Patryk Bogdan

24 November, 2025

As security auditors, we daily encounter solutions whose exact structure or logic is unknown to us. Therefore, one of the first and fundamental steps in conducting a security audit is the process of gathering information about the solution being tested. In this case, the story concerns a web application.

READ article

How "simple" math can crash your app. Support for exponential number format leads to Denial of Service.

Kamil Szczurowski

14 November, 2025

During one of the audits, I noticed that some application accepted numbers in the exponential format (for example 5e10), however, all the fields were strongly typed – I couldn’t set any of the fields to a number higher than the Integer maximum value. Nevertheless, I kept that fact in my mind and continued to check other numerical fields with vast numbers that would exceed the integer limit. After some time, I finally found a field that did accept a number higher than integer, float or double, which meant that the variable type was BigInteger. Finding such variable type and a possibility to use exponential number format created a new vector for an attack – if application allows conducting any arithmetic equation, there is a chance to conduct a Denial of Service (DoS) attack.

READ article

How Secure Are Your Application Secrets? Another lesson from the last pentest

Mateusz Lewczak

07 November, 2025

What began as a harmless pair of JAR and JNLP files turned into a full path to remote code execution. Exposed configuration files, hardcoded DESede keys, and lenient APIs stacked up until every safeguard collapsed.

READ article

Breaking the TUI: From Client Quirks to Dual Local Privilege Escalation on AIX

Wiktor Szymanik

31 October, 2025

In a recent security assessment, I stumbled upon an interesting setup that, at first glance, looked like just another terminal emulator driving a TUI application. Further investigation led to an exploit that chained multiple steps and fully compromised the tested host. Before we dive into the chain itself, I'll briefly explain a few terms and concepts - important context for the rest of the article.

READ article

Even the best can be beaten bypassing EDRs with custom malware

Dominik Antończak

24 October, 2025

During one of the audits, I received an interesting task. The goal was to gain access to the systems responsible for backups and then, perform a ransomware simulation. During the audit, access was gained to only one of these systems, and this was since most of these machines were outside of the Active Directory (AD). Logging in, even with Domain Administrator (DA) privileges, was restricted, but having DA access allowed me to obtain the local admin password using LAPS, which gave me access to the HYPER-V-B machine. From there, I was able to log into HYPER-V-E (the target machine). Access to the rest (4 others) was not achieved.

READ article

From Source Files to Admin: Exploiting Hardcoded Credentials in a Web App

Krystian Działowy

16 October, 2025

This case perfectly reflects what we face every day in our work as pentesters. A host running a MariaDB database that required no authentication caught my attention during a recent network infrastructure test. This initial finding prompted me to investigate a web application on the same machine with intense focus.

READ article

Why You Should Review Your iOS Defense Mechanisms in 2025

Marcin Zięba

10 October, 2025

Recent security assessments revealed an ongoing problem with some iOS defense frameworks and in-house solutions: an over-reliance on checks designed for rootful jailbreaks. The mobile security landscape has fundamentally changed, and defenses must evolve accordingly. Starting with iOS 15 and iPadOS 15 Apple's Signed System Volume (SSV) was introduced to iOS and iPadOS. This feature cryptographically protects the system volume, ensuring its integrity by verifying every byte against an Apple-signed hash. Any unauthorized modification to the system volume is detected and blocked, which is a key reason for the shift to new, rootless jailbreak models on these systems.

READ article

Let the framework guard your JWT internals - but who is guarding the framework?

Marek Kaliszczyk

26 September, 2025

During a recent security assessment, we found a critical authentication bypass, which at the first glance looked like a classic Json Web Token (JWT) issue - no cryptographic signature verification and possibility to forge valid tokens as a result. A blackbox assessment would probably have called it a day and reported the issue as a lack of cryptographic signature verification, which would be a legitimate issue. However, since the assessment consisted of whitebox code review, it was possible to dive deeper into the application's logic.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?