Lightnews — Scholar-powered news

Piotr Bazydło @chudypb.bsky.social · Sep 18

I've done small (but fun) .NET Framework research, and I found a new exploitation primitive (vulnerable behavior). In many cases, it may directly lead to RCE.

I'll discuss it during Black Hat EU and I'll drop a paper afterwards 🫡

www.blackhat.com/eu-25/briefi...

Black Hat

www.blackhat.com

2

Piotr Bazydło @chudypb.bsky.social · Aug 5

Research is fun. One month ago, I thought that I'll never again make a research as good as my .NET deserialization one.

Here I am today, writing a new whitepaper. You never know the day 😅

2

Piotr Bazydło @chudypb.bsky.social · Jun 17

My Sitecore CMS pre-auth RCE chain blog is public now. Enjoy 🫡

labs.watchtowr.com/is-b-for-bac...

Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform

Welcome to June! We’re back—this time, we're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. We’ve spent a bit of time...

labs.watchtowr.com

2

Piotr Bazydło @chudypb.bsky.social · May 15

I did my first 1daying ride with my friend Sonny. Enjoy🫡

Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428 pre-auth RCE chain.

labs.watchtowr.com/expression-p...

Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)

Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest...

labs.watchtowr.com

1 4

Piotr Bazydło @chudypb.bsky.social · Mar 29

Some serious question about a larg-scale usage of AI in Vuln Research.

Aren't you afraid of missing some key datails by outsourcing huge tasks to AI? I am.

If you rely on a tool, you're as good as your tool. If AI screws in a huge project, you probably won't even notice that.

2

Piotr Bazydło @chudypb.bsky.social · Mar 28

😉

codewhitesec.bsky.social @codewhitesec.bsky.social · Mar 28

Our crew members @mwulftange.bsky.social & @frycos.bsky.social discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam 's blacklist for CVE-2024-40711 & CVE-2025-23120 + further entry points after @sinsinology.bsky.social & @chudypb.bsky.social 's blog. Replace BinaryFormatter!

1

Piotr Bazydło @chudypb.bsky.social · Mar 20

It seems that our Veeam CVE-2025-23120 post is live.

I would never do this research without @SinSinology He insisted a lot, thx man. 😅

If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple.

labs.watchtowr.com/by-executive...

By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)

It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in ...

labs.watchtowr.com

7

Piotr Bazydło @chudypb.bsky.social · Mar 17

My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎

labs.watchtowr.com/bypassing-au...

Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS

I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining th...

labs.watchtowr.com

3 7

Piotr Bazydło @chudypb.bsky.social · Feb 13

Great news: I got invited to Microsoft Zero Day Quest onsite event.

Bad news: It overlaps with my kid's estimated due date 😅

Happy hacking to all of you who's planning to go to Redmond 😎

2

Piotr Bazydło @chudypb.bsky.social · Jan 31

How long does it take for MITRE to reserve a CVE now?

I haven't done that for several years, and it seems that the wait time is much bigger nowadays 🤔

1

Piotr Bazydło @chudypb.bsky.social · Jan 28

I had a blast during my first month at watchTowr :)

2

Reposted by Piotr Bazydło

cfreal.bsky.social @cfreal.bsky.social · Jan 16

This year again, I am lucky enough to get nominated twice for the Top Ten Hacking Techniques, for my research on iconv and PHP, and lightyear. This time feels a bit special however, as these are my last blog posts on ambionics.
www.ambionics.io/blog/iconv-c...
www.ambionics.io/blog/lightye...

4 12

Piotr Bazydło @chudypb.bsky.social · Jan 15

I'm happy to be on the nominations list second year in the row! This time, it's with "Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting" research and some nice RCE chains on Exchange:)

chudypb.github.io/exchange-powershell.html

3

Piotr Bazydło @chudypb.bsky.social · Jan 7

I'm happy to announce that I have recently joined watchTowr as a Principal Vulnerability Researcher. The break is over, it's time to do some new research 🫡

1 2 8

Piotr Bazydło @chudypb.bsky.social · Dec 28

Does anyone use 34" 21:9 screen?

Does it work for a setup with a VM on a half of the screen and browser/IDE on the second half?🤔

1 2

Piotr Bazydło @chudypb.bsky.social · Dec 20

After amazing (almost) 3 years, this is my last day at @thezdi.bsky.social. Huge thanks to the entire team, it was an honour to work with you folks!

New challenges and adventures are starting in 2025 :)

PS. Watch out for the ZDI blog, as several of my posts should appear there in 2025.

2

Piotr Bazydło @chudypb.bsky.social · Dec 19

[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.

Talk: www.youtube.com/watch?v=_CJm...

White paper: github.com/thezdi/prese...

HEXACON2023 - Exploiting Hardened .NET Deserialization by Piotr Bazydło

YouTube video by Hexacon

www.youtube.com

2 5

Piotr Bazydło @chudypb.bsky.social · Dec 19

[3/n] I've followed OffensiveCon talk with a series of 4 blog posts. The most interesting one describes a nice chain of 3 gadgets:
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.

www.zerodayinitiative.com/blog/2024/9/...

Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE

As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details. In this...

www.zerodayinitiative.com

1 3

Piotr Bazydło @chudypb.bsky.social · Dec 19

[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.

Several RCE chains included.

www.youtube.com/watch?v=AxNO...

OffensiveCon24 - Piotr Bazydlo - Half Measures and Full Compromise

YouTube video by OffensiveCon

www.youtube.com

1 2 3

Piotr Bazydło @chudypb.bsky.social · Dec 19

[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.

Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...

Zero Day Initiative — CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud

Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities ar...

www.zerodayinitiative.com

2 4

Piotr Bazydło @chudypb.bsky.social · Dec 13

You can use it for the NTLM Relaying, but I guess the success depends on the AD environment etc :)

1 1

Piotr Bazydło @chudypb.bsky.social · Dec 12

I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃

Trend Zero Day Initiative @thezdi.bsky.social · Dec 12

In his latest blog, @chudypb.bsky.social covers a pre-auth Arbitrary File Deletion bug he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to an LPE on domain-joined Windows machines. Read the details at www.zerodayinitiative.com/blog/2024/12...

Zero Day Initiative — SolarWinds Access Rights Manager: One Vulnerability to LPE Them All

Some time ago, I spent some time researching a core SolarWinds product, SolarWinds Platform (previously Orion Platform). At that time, I hadn’t been aware of the SolarWinds Access Right Manager produc...

www.zerodayinitiative.com

1 6 9

Reposted by Piotr Bazydło

Stephen Fewer @stephenfewer.bsky.social · Dec 4

Rapid7 has disclosed the vulns from our exploit chain targeting the Lorex 2K Indoor Wi-Fi Security Camera, which we entered at this year's Pwn2Own Ireland. A 2 phase exploit, built upon 5 vulns - phase 1 is an auth bypass, whilst phase 2 is RCE. Disclosure, analysis and exploit here: t.co/J9VDwMDRsI

https://www.rapid7.com/blog/post/2024/12/03/lorex-2k-indoor-wi-fi-security-camera-multiple-vulnerabilities-fixed/

t.co

1 8 15

Piotr Bazydło @chudypb.bsky.social · Nov 29

Great post! BTW, thanks for the shout-out Steven :)

ϻг_ϻε @steven.srcincite.io · Nov 26

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!

Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

Remote Code Execution with Spring Properties

Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...

srcincite.io

1 3