Yes, yes I know, we are a day late. And I can hear you from here..."Well tl;dr sec never comes out late, its always on-time." And to that we say: @clintgibler gets paid for that shit, so count your blessings. Annnnnnyways 👇

In Case You Missed It...

• tmp.out 4 is out! - check it out, check it out! This just dropped, so we didn't have time to include any goodies from it in this newsletter, but we will have them next week.
• Prack CFP extended - June 15th...get them in!!
• DefCon Call For...Everything - Most of these close May 1st, so be sure to get papers, demos, and workshops in soon.

Resources And Write-Ups From This Week:

• SSD Advisory – Linux kernel hfsplus slab-out-of-bounds Write - We got a new Linux LPE write-up earlier this week from an independent researcher working with SSD-Disclosure. Similar to the other write-ups SSD has put out, this one starts with a technical overview and a root cause analysis. This bug resides in the HFS+ driver, and has been present since 2005 (!!). The OOB write manifests due to some improper error handling, but interestingly has not been fuzzed out previously despite its pretty extensive coverage. The post then transitions into exploitability, taking a look at the constraints and the overall strategy. This includes some nice diagrams and is overall a great walkthrough for modern kernel exploit dev. Best of all, it rounds out with the full exploit code for a more thorough review.
• Building an electric vehicle simulator to research EVSEs - Show me a vuln researcher who doesn't love a good simulator dev project, and I'll show you a liar. This new post is sure to get the tooling people in the audience excited, as it takes a look at REing an electric car charger by simulating various EV states. The team lists the parts they used to build the simulator, and give a brief overview of how it was assembled. The result was compliant with the J1772 standard, and thus allowed for simulation of different states via different resistor configurations. Pretty cool.
• Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS - Chaining bugs together seems to be a part of Watchtowr's DNA. This week, they returned to their labs blog to discuss 3 bugs they found in the Kentico Xperience CMS which allowed for pre-auth RCE. With a goal of looking at a new target that is popular in the enterprise application space, the team quickly settled on the Xperience CMS, and started reversing the C# application. This led to the discovery of 2 auth bypasses and a post-auth RCE. While these vulnerabilities are not a part of the default configuration (as they target the "Sync" service), they are still high impact and the post is well written and approachable.
• STAR Labs Windows Exploitation Challenge 2025 Writeup - STAR Labs publishes quite a few of their own Windows bugs, so it's only right that they would be the ones to build a fun Windows exploitation challenge. The new write-up on their website is a guest post by the person who was able to solve it and score themselves a free ticket to the Off-By-One Conference. The challenge centers around a vulnerable kernel driver, and the blog starts with a brief overview of all the relevant structures and functionality. From there, it transitions to a root cause analysis of the bug itself, a sneaky race condition that leads to a UAF on the non-paged pool. Exploitation for this was based on some research from vp77, which is cited and adjusted to solve the challenge.
• Exploiting Neverwinter Nights - We have, and always will be, suckers for a good multiplayer video game bug. And throughout the last few years, Synaktiv has certainly demonstrated some fun research in that domain. A few weeks back (we are a bit late) they added to their catalog, finding two vulnerabilities in Neverwinter nights and writing an exploit. The post starts with a brief lab set-up and an analysis of the potential multiplayer attack surface via Wireshark. From there, it walks through a remotely reachable overflow. After a quick crash PoC, it then digs into bypassing ASLR with a second bug, pivoting the stack, and landing an exploit. There is a sweet demo video as well.
• RE//verse 2025: Full-stack Reverse Engineering of the Original Microsoft Xbox - We don't want to brag (unless of course...we do), but we caught this talk live and in-person. Now if you weren't as cool lucky as us, you should definitely give the recording a watch. While the premise focuses specifically on the Xbox, @gaasedelen does an excellent job positioning the talk at low-level security engineers who are interested in learning more about hardware. It is both approachable and insightful - all the while reflecting on Markus's personal journey with this project that netted over 4000 hours across 3 years.

Interesting Job Postings:

• 5G Vulnerability Research Analyst @ Booz Allen Hamilton (On-Site: Annapolis Junction, MD)
• Devices and Services, Senior Pentester @ Amazon (Remote)
• Offensive Security Engineer, Device @ World (On-Site: San Francisco, CA)
• Offensive Embedded Security Engineer @ Lucid Motors (On-Site: Newark, CA)
• Cryptography Researcher @ Ingonyama (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️