Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Password Recovery Flow – Flowing Straight Into Attackers' Hands

Sebastian Jeż

12 September, 2025

Password recovery mechanisms are one of the most crucial security components in any modern web application. A secure "Forgot Password" process ensures that users can recover access to their accounts without exposing themselves to unnecessary risks. OWASP's Forgot Password Cheat Sheet does a great job of outlining best practices for building safe and resilient recovery flows.

READ article

How to extract certificates and private keys from iOS Keychain

Marcin Zięba

05 September, 2025

The iOS Keychain is Apple's secure storage mechanism designed to keep sensitive information safe, such as passwords, encryption keys, and certificates. Unlike application-level storage, the Keychain benefits from hardware-backed protection provided by the Secure Enclave and the system's sandboxing model. This makes it the preferred method for iOS applications to store critical credentials that must persist between launches while remaining inaccessible to other apps. From a security assessment perspective, understanding how client certificates and private keys are stored in the Keychain is crucial, particularly since these assets often play a key role in authentication flows with backend services. Mismanagement or insufficient protections - especially regarding the application's resilience - can provide attackers with opportunities on compromised devices.

READ article

Low entropy of password reset token leads to account takeover

Kamil Szczurowski

22 August, 2025

During a recent security audit, something related to password reset functionality caught my attention. It appealed that password reset tokens generated for a given account in the same second were always the same. Such behaviour suggested that password reset token is generated from a few factors, but only one of them – time wasn't static.

READ article

Zero Auth to Admin: Exploiting Known Vulnerabilites in Real World Pen Tetsts

Krystian Działowy

08 August, 2025

During an internal penetration test, I identified an unpatched MikroTik RouterOS device vulnerable to CVE-2018-14847. By exploiting this flaw in the Winbox service, I was able to extract administrator credentials without authentication and subsequently gained full read/write access via FTP and Winbox GUI. This vulnerability is particularly dangerous due to its low complexity and high impact - it allows complete device takeover with just network access to the Winbox service.

READ article

Filter Injection via Microsoft Graph API in a Custom Application: From Verbose Errors to Account Takeover

Grzegorz Bronka

01 August, 2025

During a recent security assessment, it was identified that a client web application integrating Microsoft Entra through the Microsoft Graph API was vulnerable to a novel form of filter injection. This flaw originated in the password reset functionality, where user-supplied input was incorporated directly into Graph API queries without adequate sanitization or validation. Exploiting this weakness allowed bypassing password reset token validation, ultimately enabling unauthorized password resets for arbitrary user accounts. This article details the discovery process and demonstrates practical payloads used to exploit the issue.

READ article

Using Malicious Discord Apps to Access User Data Through OAuth2 Permission Grants

Martin Matyja

25 July, 2025

During a recent red team campaign, we discovered an unusual method of tricking users into potentially malicious activity. One of our client's domains had been forgotten and was still pointing to an IP address owned by a VPS provider. Someone else gained control of that IP by deploying their own VPS instance. As a result, they were able to perform a classic subdomain takeover attack and host their own content on the client's subdomain.

READ article

MAC Spoofing Made Easy: Lessons in LAN and Physical Security from a Real Pentest

Krystian Działowy

20 July, 2025

During a penetration test for one of our clients, we were tasked with analyzing the risk of unauthorized endpoint access to the internal network, specifically checking whether an untrusted device could connect without prior authorization. We tested exactly that scenario, walking into an open conference room and connecting a laptop using a random MAC address. Although the device received a DHCP lease, access to internal resources was blocked and EDR registered the connection attempt. However, the story didn't end there.

READ article

XXE using J4LFOPServer leading to Remote Code Execution

Jakub Żoczek

13 July, 2025

While testing the LAN infrastructure of one of our clients I discovered that one of the applications is handling XML input which led to finding critical vulnerabilities. By allowing the definition of custom entities within XML input better known as XML External Entity (XXE) the application exposed itself to a range of serious threats, including local file disclosure, external network interactions resulting in NTLMv2 hash leakage, and most notably, Remote Code Execution through the use of XSLT templates.

READ article

Wipe and Rise: How Deleting Folder on Windows Enables LPE

Mateusz Lewczak

11 July, 2025

Time-of-check-to-time-of-use (TOCTOU) race conditions have plagued Windows software for decades, yet they still surface in modern code. During a recent audit of TestedAPP we uncovered a textbook example: the application's background service first checks whether a cache directory exists and, milliseconds later, deletes it without re-validating the path. Because every non-privileged user can create files and folders inside the application tree, an attacker can win the race, swap the legitimate directory for an NTFS mount point, and redirect the deletion to any location on the system drive.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?