Blog

Richard Warren
09 Apr, 2026

Next, Next, SYSTEM: Exploiting NSIS installer bugs to escalate privileges in Zscaler Client Connector

Exploiting NSIS installer bugs to escalate privileges in Zscaler Client Connector

Richard Warren
24 Mar, 2026

Patch Bypass: Netskope Client for Windows - Local Privilege Escalation via Rogue Server

A bypass of the CVE-2025-0309 fix allowed enrolment to a rogue server via unauthenticated Netskope reverse-proxy routes.

Read Article

Delinea Protocol Handler - Return of the MSI: RCE via Custom Launcher

Summary Ok, so there’s no MSI this time but our last Delinea post was titled ‘MSI Strikes Back’ so we thought we’d stay on …

Read Article

Advisory - Check Point Harmony Local Privilege Escalation (CVE-2025-9142)

Check Point Harmony Local Privilege Escalation (CVE-2025-9142)

Read Article

Iain Smart
01 Sep, 2025
- Kubernetes

Breaking Boundaries - Kubernetes Namespaces and multi-tenancy

Footguns and privilege escalations making multi-tenancy difficult in Kubernetes clusters.

Read Article

Advisory - Netskope Client for Windows - Local Privilege Escalation via Rogue Server (CVE-2025-0309)

Never Trust, Always Verify - except when you have to trust the server isn’t malicious .. and install this CA certificate and MSI while …

Read Article

David Cash
20 Aug, 2025

Delinea Protocol Handler - MSI Strikes Back

Introduction Delinea’s custom URL handler allows the software’s update process to be triggered, downloading and running an MSI from an …

Read Article

Advisory - Netskope Cross-tenant Authentication Bypass

Read Article

Advisory - Zscaler SAML Authentication Bypass (CVE-2025-54982)

Advisory - Zscaler SAML Authentication Bypass (CVE-2025-549820)

Read Article

Gavin Holt
09 Aug, 2025

Breaking Into Your Network? Zer0 Effort. - DEF CON 33 Overview

Uncovering critical flaws in ZTNA solutions, allowing attackers to escalate privileges on end user devices and to completely bypass authentication, …

Read Article

Richard Warren
04 Aug, 2025

NachoVPN: Now With More VPN (And SYSTEM Shells) - Part 2 - Palo Alto GlobalProtect

Thought CVE-2024-5921 was fixed? Nacho problem! NachoVPN brings downgrade attacks to GlobalProtect.

Read Article

Richard Warren
29 Jul, 2025

NachoVPN: Now With More VPN (And SYSTEM Shells) - Part 1 - Ivanti Connect Secure

What’s better than logon scripts? SYSTEM shells. NachoVPN now abuses Ivanti remediation logic to load rogue DLLs over SMB and hijack Wow64 …

Read Article

Darren McDonald
04 Jun, 2025

ThinOS - Unencrypted Memory Dumps (CVE-2025-32752)

Full disk encryption that wasn’t.

Read Article

Reproducing CVE-2024-9042: Command Injection in Windows Kubernetes Nodes

Recreating a vulnerability in log streaming via the Kubelet on Windows nodes

Read Article

Delinea Protocol Handler - Remote Code Execution via Update Process (CVE-2024-12908)

The Delinea Protocol Handler suffers from a Remote Code Execution vulnerability in the sslauncher URL handler. This could be exploited by a malicious …

Read Article

Introducing NachoVPN: One VPN Server to Pwn Them All

Is Your Corporate VPN Client Providing Access to More Than Just Your Employees?

Read Article

Palo Alto GlobalProtect - RCE and Privilege Escalation via Malicious VPN Server (CVE-2024-5921)

Read Article

SonicWall NetExtender for Windows - RCE as SYSTEM via EPC Client Update (CVE-2024-29014)

Read Article

Ivanti Connect Secure - Authenticated RCE via OpenSSL CRLF Injection (CVE-2024-37404)

Today, we are releasing the details of CVE-2024-37404, a zero-day vulnerability in the Ivanti Connect Secure product. This vulnerability allows an …

Read Article

Skeleton Cookie: Breaking into Safeguard with CVE-2024-45488

Join us as we reveal how CVE-2024-45488 can let attackers gain access to your corporate password vault and uncover hidden secrets of Microsoft DPAPI.

Read Article

One Identity SafeGuard for Privileged Passwords - Authentication Bypass (CVE-2024-45488)

SafeGuard for Privileged Passwords (SPP) virtual appliance images contain a hard-coded cryptographic key (CWE-321). An attacker can exploit this key …

Read Article

AmberWolf Uncovers Critical Vulnerabilities in Cato Client

As part of a recent client engagement, we conducted a product assessment of the Cato Client. During this assessment, we discovered significant …

Read Article

Cato Client - Account Takeover Via Sensitive Log Data (CVE-2024-6977)

The Cato Client was found to store authentication data within the trace logs generated by the desktop client during SSO authentication.

Read Article

Cato Client - Local Privilege Escalation via OpenSSL Configuration File (CVE-2024-6975)

The OpenSSL implementation in the winvpnclient.cli.exe service executable is configured to load an openssl.cnf file from a location that does not …

Read Article

Cato Client - Local Privilege Escalation via Self-Upgrade (CVE-2024-6974)

The Cato Client was found to use an insecure temporary folder for downloading and processing updates.

Read Article

Cato SSO - Open Redirect Leading to Config Theft

The web service used during the Cato SSO authentication flow was found to contain an Open Redirect issue, which could allow a remote attacker to …

Read Article

Remote Code Execution via Crafted URLs (CVE-2024-6973)

The Cato Client suffers from a Remote Code Execution vulnerability which could be triggered via a URL handler, or via requests to the local webserver.

Read Article

Cato Client - Local Root Certificate Install as Low Privileged User (CVE-2024-6978)

The Cato Client allows a low-privileged, local user to install arbitrary Root CA Certificates in the computer’s certificate store.

Read Article