Skip to main content

Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.
Illustration of Pentest Chronicles

Latest insight

Illustration of CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Illustration of Hacking the invisible: A deep dive into Sub-GHz communication and flaws in the devices we use every day

Hacking the invisible: A deep dive into Sub-GHz communication and flaws in the devices we use every day

MATEUSZ KOWALCZYK

In our modern world, remote control technology is an ever-present part of daily life. This includes everything from the key fobs in our pockets to the remote controls on our coffee tables. But what lies behind the magic of these devices? In this article, we delve into the world of Sub-GHz communication, a technology in remote control systems, particularly those used for controlling entrance gates or garage doors

READ article
Illustration of Beyond fingerprints: Discussing the challenges of behavioral biometrics security

Beyond fingerprints: Discussing the challenges of behavioral biometrics security

MATEUSZ LEWCZAK

Behavioral biometrics is an increasingly common element of the security of our bank accounts. It considers the way we type on a keyboard, move a mouse, use audio/video equipment, and even how we hold our phone. As it turns out, each of us performs these activities in a different way, and although these are small differences, with the use of Machine Learning, we are able to assess whether banking operations are performed by the account owner.

READ article
Illustration of Mobile Device Security in today's enterprise landscape: A comprehensive approach

Mobile Device Security in today's enterprise landscape: A comprehensive approach

Michał Wnękowicz

The evolving challenge at a time when mobile devices are commonplace in corporate environments, concerns about their security have increased. For both corporate and Bring Your Own Device (BYOD) devices, the challenge of maintaining strong security is significant. What's more, as mobile applications become more sophisticated, their potential security vulnerabilities are becoming a concern for cybersecurity teams.

READ article
Illustration of The risks of over-logging: a case study on application takeover

The risks of over-logging: a case study on application takeover

Securitum

Logs are often seen as a wall of text, filled with information that seems unimportant until a significant problem arises. Yet, have you ever thought about the security risks hidden within those walls of text, particularly when they include sensitive details like usernames and passwords? It's a common belief that only trustworthy individuals, such as administrators, access these logs, but not considering the potential security implications can be a dangerous oversight.

READ article
Illustration of Unveiling hidden data: a log file's security breach

Unveiling hidden data: a log file's security breach

ROBERT KRUCZEK

Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security. Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as: ffuf, dirbuster, gobuster. During the discussed test, I used the ffuf tool with a basic dictionary available publicly: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

READ article
Illustration of Attacking Artificial Intelligence - 3 common ways

Attacking Artificial Intelligence - 3 common ways

Tomasz Turba

Large Language Models (LLM) like ChatGPT, Bing and Bard can be attacked by threat actors. These AI systems could be vulnerable to attacks where threat actors can manipulate the prompt in order to alter their behavior to serve a malicious purpose. As AI components are further integrated into society's critical systems, their potential vulnerabilities could significantly impact the security of both companies and entire countries.

READ article
Illustration of Demystifying Prototype Pollution and its link to DOM XSS

Demystifying Prototype Pollution and its link to DOM XSS

Kalina Zielonka

JavaScript, the backbone of many web applications today, brings with it flexibility and potential. At the core of its architecture, every element we interact with is essentially an object, each with its own unique properties and methods. The Role of Prototypes in JavaScript Prototypes allow JS to share attributes or properties between different objects. Every object in JS has a prototype object associated with it, which gives that object its own properties. In other words, an object in JS inherits all the properties of its prototype.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us