Skip to main content

Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.
Illustration of Pentest Chronicles

Latest insight

Illustration of CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Illustration of How a simple vulnerability allowed proxying TCP traffic - real pentest case

How a simple vulnerability allowed proxying TCP traffic - real pentest case

Dariusz Tytko

During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.

READ article
Illustration of Exploiting PDF generation vulnerability: a case study from real pentest

Exploiting PDF generation vulnerability: a case study from real pentest

SECURITUM

In a recent penetration test conducted by [Your Security Company], we identified a critical vulnerability within a web application that allowed unauthorized access to sensitive resources. This flaw permits an attacker to access both local server files and data on other servers within the same network. The vulnerability stems from improper handling of user-input data, presenting a severe security risk.

READ article
Illustration of Password reset flaw: when anyone can reset your password

Password reset flaw: when anyone can reset your password

Sebastian Jeż

During rigorous testing, security researchers uncovered a significant weakness in the password reset mechanisms used by numerous online platforms. By exploiting the seemingly harmless phone number field, an attacker can compromise a victim's account. The vulnerability lies in the mishandling of a four-digit code, which, instead of being sent solely to the owner's phone, is also included in the server's response. This oversight turns a seemingly harmless feature into a gateway for hackers to infiltrate users' digital lives.

READ article
Illustration of How a simple lack of SMS code verification can compromise financial security

How a simple lack of SMS code verification can compromise financial security

Securitum

During audits, it's crucial to check all possible attack vectors, even the seemingly obvious functionalities. This diligence led us to discover, during one of our web application audits, that the server does not verify the correctness of the SMS code used by applicants during the credit request process, either at the start or at the final document signing stage. In short: a credit application without any verification.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us