We hope everyone enjoyed drinking and partying as a business expense Hacker Summer Camp. Annnnnyways 👇

In Case You Missed It...

• Black Hat Slides Out! - Most of the links now have the associated slides for you to checkout.
• radare2 6.0.2 Release - Bug fixes and new features

Resources And Write-Ups From This Week:

• Extraction of Synology Encrypted Archives - As we gear up for another year of Pwn2Own Mobile, the team at Synacktiv decided now might be the perfect time to kickstart your research and provide a bit of inspiration. This week, they released details of their initial recon and research into the Beestation NAS from Synology, specifically focusing on how they were able to extract the encrypted archives and decrypt them. The post starts with a bit of recon on the encrypted PAT archive downloaded from the Synology website. After unpacking that with Patology, the team was greeted with another archive containing a list of spk libraries. They were able to trace down the library responsible for doing the extraction of the spk files, and started reversing it. They then walk through extracting the needed key, figuring out the header deserialization, and finally putting together a script to decrypt the entries. At the end, they take the current version (decrypted) and compare it to the Pwn2Own version they exploited, showing the clear pre-auth command injection that has since been patched.
• Inside the brain of a hacking robot: Exploring traces - Those of you who sometimes touch grass less tapped in may have missed the AIxCC announcement last week, where Theori took 3rd place overall. This week, they took to their blog to walk through some of the interesting "thought" traces produced by their agent while assessing various technologies. The post starts with an OOB read and write in SQLite, and talks at a high level about the agent configuration the team used, and how those agents performed in identifying the bugs. It links out to all the logs from the run, which includes the agent system and user messages, the total cost on the run, all the tools calls, and the reasoning displayed by the agent. The rest of the post follows much of the same format, walking through FreeRDP, Nginx, Apache Tika, and Apache Tomcat. It includes traces of the agent finding intended / injected bugs, as well as a few unintended 0days.
• Exploiting Retbleed in the real world - The team at Google has been thinking about how to make Retbleed more practical for 3 years, and they decided to show us how it's done this week. In this new post on the Bug Hunters site, the team walks through the background on the speculative execution bug for those who need a quick primer. It discusses pipelined architecture, branching, speculative execution, and finally the specifics of Spectre V1 and Spectre V2. From there, the post takes a look at Retbleed exploitation. The team uses a microarchitectural side-channel attack to bypass KASLR, trains the branch predictor using mmap, and then performs speculative ROP, where a disclosure gadget is used. With this, they leak data via cache covert channels. Most impressively, this exploit was able to achieve data leakage at 13KB/s, showing it was fast enough for practical attacks such as listing running processes on a host system or stealing sensitive data.
• FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970) - Look, we didn't want to brag before...but we are actually modded in @0x_shaq's Bug Driven Development X Group (which you all should join). But this week, he dropped a new post on everyone's favorite target, FortiWeb. Most impressively though, he was able to turn a blind OOB read into a full auth bypass. The OOB in question happens due to improper cookie parsing on the server. Specifically, the attacker can force the Era param to read uninitialized memory, resulting in a zeroed key being used for both encryption and HMAC signing. Pretty sweet.
• Uncovering memory corruption in NVIDIA Triton (as a new hire) - You ever have a regular on-boarding exercise turn into unexpected bugs? Yeah..us either. Will Vandervanter, on the other hand, was just doing a bit of shadowing and static analysis practice when he ended up finding two memory corruption bugs in NVIDIA Triton. This new post from ToB walks through how he was started with semgrep and identified an interesting use of the alloca function in the http_server (shoutout to the 0xdea ruleset). After triaging the use and identifying that it could, in fact, be dangerous if HTTP chunked transfer encoding was used, he then dug into a more thorough source-to-sink analysis. After figuring out the proper path and configured parameters, he was able to successfully cause a segfault and disclose it to NVIDIA. We'd say that's a pretty good first month of work.
• WHY 2025 - From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface - Haven't had the time to watch, but c'mon...it's a 47 minute video about the SOHO smashup so like it has to be good.

Interesting Job Postings:

• Offensive Security Researcher @ NVIDIA (On-Site: Austin, TX)
• Security Researcher, Security Product @ OpenAI (On-Site: San Francisco, CA)
• Vulnerability Researcher @ CENSUS (Remote: EU)
• Vulnerability Researcher @ Interrupt Labs (Remote: Aus)
• Offensive Security Engineer, Product Security @ Zoox (Hybrid: Foster City, CA)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️