exploits.club Weekly Newsletter 78 - ITW Sandbox Escapes, RL For VR, WhatsApp Fuzzing, And More

If a 2-second angry shitpost drives this much newsletter engagement...well then all of you should be fearful for your timelines going forward. Annnnnnyways 👇
In Case You Missed It...
- New x64dbg Release - Support for bitfields, enums, and anonymous types. Oh my!
- RE//verse 2026 - Official con announcement for next year. This years was a blast, so make sure to get it on your circuit if you haven't already.
Resources And Write-Ups From This Week:
- Reproducing a million-dollar bug: WhatsApp CVE-2019-11932 (with AFL & Frida) - A new post this week from @FuzzySec on the IBM X-Force blog. Specifically, he walks through the 2019 WhatsApp bug triggered by a malicious gif, and demonstrates how it could have been discovered by an on-device fuzzer. The first part of the post is a RCA on the bug, identifying the double-free and explaining how it could be triggered. From there, the post moves to being a perfect guide for how to do on-device fuzzing. It starts with the RE required to get a better understanding of the native library, and then moves to creating a proper harness. The write-up concludes with some takeaways and an interesting finding on the vulnerable library's issues tab - a bug report filed nearly 3 years before the CVE...oops.
- Reinforcement Learning for Hacking? - Have you guys heard about LLMs and hacking?? It's the new rage. Spurred by some of the recent hype, @S1r1u5_ put together a great post this week about the challenges of applying reinforcement learning to security research. It goes deep into the thought process most VR professionals might use when trying to identify an 0day and theorizes why LLMs may fall short. Using V8 as an example, it explains the "recursive" knowledge graph required for understanding weird machines and identifying vulns, and maps that to the limitations of todays technology. However, don't think that means you have perfect job security just yet - he then goes on to discuss about how improvements may be made going forward that could improve models reasoning tasks and realistically make them better at spotting bugs.
- SSD Advisory – ISPConfig Authenticated Remote Code Execution - Is a privesc from admin to superadmin a security boundary? Well, apparently ISPConfig is siding with Microsoft on this one and saying "no". In a recent post, the SSD Disclosure team discusses a bug found by a researcher and disclosed to the ISPConfig team that would allow an authenticated user to escalate their privs because of some improper input validation. Essentially, the server has two validations that resemble that "cheeto-in-the-lock" meme, and a remote user can escalate to admin and then again to super admin (given a few assumptions about the configuration). After that, the user can inject PHP into the language file, achieving full RCE.
- Google CTF 2025 Quals Writeup - Google CTF concluded last week, and @mystiz613 released his official write-ups for the two crypto challenges he authored. The first, "Underhanded", includes a hidden backdoor in a Python AES implementation. That is about the only intelligent thing we can say about the challenge, because crypto makes us feel like idiots. But, basically...you can leak a key and we should have been more attentive in math. As for the second challenge, Merkurated...well yep, its more crypto with symbols that give us wartime flashbacks...anyways.
- Hexagon fuzz: Full-system emulated fuzzing of Qualcomm basebands - A new open-source toolchain for full-system emulated Hexagon firmware fuzzing? Yeah, that sounds sweet. That's what Security Research Labs released as apart of their most recent blog and corresponding talk at TROOPERS25. The write-up starts with some of the previous work in the baseband domain over the last few years, and some of the notable gaps that have arisen around Hexagon, the fully-custom architecture leveraged by Qualcomm. The team was able to find a Hexagon QEMU branch, and get that integrated into LibAFL. From there, they created a fully coverage guided fuzzer by using Rust-based hooks for control flow modification. The post includes an architecture diagram of the tooling, as well as a TODO list of next steps to continuously improve it.
- ITW 0-day Google Chrome Sandbox Escape - A nice little ITW sandbox escape and write-up in the Chromium issues dashboard this week from the team over at Kaspersky. This specific exploit was part of a 1-click chain, and while the investigation for the other components is still ongoing, the write-up walks through the RCA of the sandbox escape. After a bit of reversing of the captured DLL, the team identified that an initialization function is run, and then the chrome.dll is parsed and necessary gadgets / addresses are collected. Then it sends a crafted RelayMessage with ID 0x69 (nice), having hooked one of the handling functions to listen for it. When it arrives, it reads the pointer value from the included WrappedPlatformHandle, and gets a Windows OS HANDLE like magic.
Interesting Job Postings:
- Software Engineer III, V8 Security @ Google (On-Site: Munich, Germany)
- Senior Browser Vulnerability Researcher @ Interrupt Labs (Remote: Australia)
- Jr Security Researcher @ Rapid 7 (On-Site: Prague, Prague, Czechia)
- Vulnerability Researcher @ Check Point Software (Remote: Europe)
- Cyber-Physical Systems Reverse Engineer @ Kudu Dynamics LLC (On-Site: Chantilly, VA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Want to support us? Buy us a coffee ☕️
Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️
