We missed you guys last week....kinda. Annnnnnyways 👇

In Case You Missed It...

• OffensiveCon 2025 Talks - Talks are out, and they are killer as always. Now you can at least watch them while you still FOMO of missing out.
• Pwn2Own Winner - congrats to STAR Labs for taking Master of Pwn and $320,000!

Resources And Write-Ups From This Week:

• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation - Well ladies and gentleman...it's been a good run. Earlier this week, @seanhn dropped a Linux 0-day...that was found by AI. That's right, start saving your dollars for the unemployment line. Essentially, he set-out to try and benchmark o3's capabilities of identifying a relatively straight forward UAF in the SMB implementation. He gave some tools to the LLM for it to generate context about the surrounding code, and then told it a to find a UAF. When it found the benchmark, he widened the scope a bit to see if it would still identify the bug...and this dropped the performance to 1 / 100 runs. So not good. But interestingly, it also started to identify a similar code pattern in a different handler - that turned out to be an 0day. So signal-to-noise isn't great, but getting closer...
• Bypassing MTE with CVE-2025-0072 - Your favorite researcher's favorite researcher is back this week. Thats right, @mmolgtm stopped by the GitHub Security Lab blog to talk about his recent Arm Mali GPU exploit, which required an MTE bypass. The post starts with a deep dive into a newer Mali feature, Command Stream Frontend (CSF). He talks about how these queues work and why they are dangerous, before getting into the bug he reported in December of 2024 - a page UAF. The post talks about exploitation (and includes full exploit code), before turning its attention to why MTE did not save the day. It turns out, a few subtle misconfigs make this possible - namely, a Mali-specific custom memory pool and direct user-space mapping inserted by the driver, bypassing MTEs checking mechanism from firing.
• The last 0day jailbreak. - Be prepared to open this blog post and be blindsided when you realize May 23rd, 2020 was 5 years ago. Or the fact that was the last time an iOS LPE dropped as an 0-day. This new story-time post from @s1guza walks through the tail of a bug which resulted from failed regression testing. Specifically, this was a re-introduction of LightSpeed, a bug that was disclosed by Synacktiv. The blog first takes a look at the original bug, and how it was exploited when it was first introduced. From there, the post moves to how it was exploited in 2020 on a beefier version of iOS across a range of different chipsets. It wraps up with conclusions (including a heroic effort from P0), and discusses how quickly the field changes - from exploitation to 2018 to the re-introduction in 2020 and now to all the new mitigations 5 years later.
• Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain - The team at watchtowr decided to dig into two recently disclosed vulnerabilities in Ivanti's Enterprise Manager. The bugs in question were an auth bypass and an RCE, reported in the most recent Ivanti security advisory and allegedly used in the wild as a chain. The post first goes through the post-auth RCE, which resulted from an Expression Language Injection. From there, they look at chaining it with the auth-bypass. This vuln resulted from....well just not checking authentication on the vulnerable RCE endpoint lol. The post wraps up with an exploit and some takeaways like...idk enforce authentication and don't yolo arbitrary user args into evaluated expressions.
• Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw - Neodyme took to their blog last week to talk about their SOHO smashup entry in last years Pwn2Own. The team targeted the QNAP router and the Canon printer, which serves as the main focus point for this post. After an overview of the recon, firmware dumping, and challenges doing hardware research as a remote-first company, the blog gets into the nitty details of the vulnerability discovery. It takes a look at Canon "DryOS" and eventually identifying a stack overflow in the EXIF parsers. The post gives a brief overview of the file format and the way it is (incorrectly) parsed, before discussing the exploit. With an assist from ChatGPT, the team was able to write some shellcode that rendered an animation.

Interesting Job Postings:

• Principal Product Security Researcher @ Palo Alto Networks (On-Site: Santa Clara, CA)
• Security Researcher @ Vercel (Remote)
• Offensive Security Engineer @ Meta (On-Site: New York, NY)
• Senior Hardware Security Engineer @ Google (On-Site: Kirkland, WA)
• Offensive Cyber Capabilities Developer @ Johns Hopkins Applied Physics Laboratory (On-Site: Laurel, MD)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️